Logstash - Use of Memorize plugin

Question

Trying to use the \"memorize\" plugin like so:

            if [message] =~ /matching event/ {

                grok {
                    match => [ \"message         


        

Answer 1

The way that plugin works would be like this:

        if [message] =~ /matching event/ {
            grok {
                match => [ "message", "%{mymatch:datetime}" ]
            }
        }
        # either save the datetime or add it based on last value
        memorize {
           field => 'datetime'
           default => '00:00:00'
        }

        if [message] =~ /another event/ {
            # datetime has already been added based on the above line
        }