FluentD / Fluent-Bit: Concatenate multiple lines of log files and generate one JSON record for all key-value from each line

Question

FluentD 1.16.3 and Fluent-bit 1.8.11

I have the following lines in my container log file /var/log/containers/.log*

When a ldap user credentials fail (bad user/password)

024-03-28T16:09:23.048182266Z [28/Mar/2024:16:08:58.721901994 +0000] conn=13532278 op=0 BIND dn="uid=f_lastname,ou=People,dc=inf.team" method=128 version=3
2024-03-28T16:09:23.048186511Z [28/Mar/2024:16:08:58.724475049 +0000] conn=13532278 op=0 RESULT err=49 tag=97 nentries=0 wtime=0.045728791 optime=0.002580362 etime=0.048307196 - Invalid credentials

When user's password is reset in LDAP

time: 20240328011425
dn: uid=utest_ignore,ou=People,dc=inf.team
result: 0
changetype: modify
replace: userPassword
userPassword:: e1NTSEE1ZCJ9VkRsSy9xMmlyVExacjJVT0pVMCtOUFg4bWVneVFRYlMvY1k3T1B
 ab2wzbUs1RWZMS3RtN0dyOTNBhYlleTk2UFhBd01WQjVgYhUxZTcyWWR4QnlPSDdxN2RibTlLaGNv
-
replace: modifiersName
modifiersName: cn=ldag_mgr
-
replace: modifyTimestamp
modifyTimestamp: 20240328011433Z
-

[28/Mar/2024:00:46:51.830952828 +0000] - DEBUG - NS7bitAttr - preop_modify - MODIFY begin

I tried the fluent-bit Multiline parser configuration, but that's not giving me the desired output, I need. It says, that it basically concatenates/clubs all (multiple) lines into one object as string value (as per examples shown in this URL).

https://docs.fluentbit.io/manual/v/1.8/administration/configuring-fluent-bit/multiline-parsing - not very straight forward.

In Fluentd, there's a multiline parser which looks promising, but I'm not getting the desired output either.

https://docs.fluentd.org/parser/multiline

Tried the following conf file for catching the data (when user's password is reset in LDAP):

<parse>
  @type multiline
  format_firstline /^time: (?<time>[^ ]+)\n/
  format1 /^dn: (?<dn>[^ ]+)\n/
  format2 /^result: (?<result>[^ ]+)\n/
  format3 /^changetype: (?<changetype>[^ ]+)\n)/
  .... so on ...

</parse>

but I'm getting errors that my above conf file is incorrect.

Desired output I would like, using FluentD configuration is: I want only the first 5 lines from "time:" line (I don't care about other lines after 5th line).

{"time": "20240328011425",
 "dn": "uid=utest_ignore,ou=People,dc=inf.team",
 "result": "0",
 "changetype": "modify",
 "replace": "userPassword"
}

For the case of: When a ldap user credentials fail (bad user/password) I want to cherry pick only few fields from those 2 log lines above, resulting into a JSON blob. i.e.

{
  "conn": "13532278",
  "op": "0",
  "dn": "uid=f_lastname,ou=People,dc=inf.team",
  "result": "Invalid credentials"
}