Skip to content

Stashing parser

The stashing parser combines log entries that are split across multiple lines into a single, consolidated event.

Declaration

The stashing processor collects log fragments that share the same identifier. It organizes them in order based on current_part (ranging from 0 to total_parts - 1). Once all parts are received, a single event is created containing the combined content from all fragments.

---
define:
  type: parsec/parser/stashing

stash:
  identifier: <PROCESS_ID>  # Field used to group related log fragments
  total_parts: <TOTAL_LOG_PARTS>  # Field indicating the total number of expected fragments
  current_part: <LOG_PART>  # Field indicating the position of the current fragment
  content: <MESSAGE>  # Field containing the fragment's content to be combined

  # Optional parameters
  max_age: 15m  # Maximum time to wait for incomplete events before sending them
  max_size: 50000  # Maximum buffer size; incomplete events exceeding this are sent immediately

Example

Input logs with two different identifiers (1024 and 2048) being processed concurrently:

-------timestamp-------   identifier    current_part/total_parts   -----content-----
2025-09-01T12:00:00.000   1024          0/3                        user: harry_potter,
2025-09-01T12:00:00.150   2048          1/2                        ip: 120.10.20.31,
2025-09-01T12:00:00.200   1024          2/3                        action: login
2025-09-01T12:00:00.100   1024          1/3                        ip: 120.10.20.30,
2025-09-01T12:00:00.050   2048          0/2                        user: ron_weasley,

Output events (each identifier produces one consolidated event when all parts are received):

2025-09-01T12:00:00.000   1024 0/3  user: harry_potter, ip: 120.10.20.30, action: login
2025-09-01T12:00:00.050   2048 0/2  user: ron_weasley, ip: 120.10.20.31

Cisco ISE logs

Example of Cisco ISE RADIUS accounting logs that are split across multiple lines and need to be stashed:

--------timestamp--------   identifier    current_part/total_parts   -----content-----
2026-05-06T05:45:58.000Z   0009204796    0/2                        1030 <181>1 2026-05-06T05:45:58+02:00 ise-server-01 CISE_RADIUS_Accounting - - - 0009204796 2 0 2026-05-06 05:45:58.349 +02:00 0279051505 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=140, Device IP Address=192.0.2.15, UserName=john.doe@example.com, NetworkDeviceName=switch-core-01, User-Name=john.doe@example.com, NAS-IP-Address=192.0.2.15, ...
2026-05-06T05:45:58.050Z   0009204796    1/2                        698 <181>1 2026-05-06T05:45:58+02:00 ise-server-01 CISE_RADIUS_Accounting - - - 0009204796 2 1 SelectedAccessService=WIRED_DOT1X, RequestLatency=2, Step=11004, Step=11017, Step=15049, Step=15008, Step=22085, Step=11005, ...

Output (consolidated event from both parts):

2026-05-06T05:45:58.000Z   0009204796 ise-server-01 CISE_RADIUS_Accounting - - - 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=140, Device IP Address=192.0.2.15, UserName=john.doe@example.com, NetworkDeviceName=switch-core-01, User-Name=john.doe@example.com, NAS-IP-Address=192.0.2.15, ...

Warning

To use the stashing parser, only one instance of LogMan.io Parsec is allowed in the event lane.

The number of instances of LogMan.io Parsec is set in the event lane configuration.

/EventLanes/mytenant/cisco-ise-1.yaml
---
define:
  type: lmio/event-lane
  name: Cisco ISE

parsec:
  name: /Parsers/Cisco/ISE/
  instances: 1