Add new field based on future events

icking · October 9, 2018, 9:58am

I have a log like this:
id- API - logtype
1 - login - process
1 - logout - process
1 - init - entry

I want to add a new field called parentAPI, based on the API with the same id and logtype "entry". The expected results are:

{
"id" => 1,
"API" => "login",
"logtype" => "process",
"parentAPI" => "init"
}
{
"id" => 1,
"API" => "logout",
"logtype" => "process",
"parentAPI" => "init"
}
{
"id" => 1,
"API" => "init",
"logtype" => "entry",
"parentAPI" => "init"
}

The challenge here is that the entry logs may come after other logs. I have a working solution for the case where entry logs always come first:

filter {
   grok {
     match => [ "message", "%{WORD:id} - %{WORD:API} - %{WORD:logtype}" ]
   }

   if [logtype] == "entry" {
     aggregate {
       task_id => "%{id}"
       code => "map['parentAPI'] = event.get('API'); event.set('parentAPI', map['parentAPI'])"
       map_action => "create"
     }
   }

  if [logtype] != "entry" {
     aggregate {
       task_id => "%{id}"
       code => "event.set('parentAPI', map['parentAPI'])"
       map_action => "update"
       timeout => 600
     }
   }
}
 
output {
  stdout { codec => rubydebug }
}

system · November 6, 2018, 9:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.