I have a log like this:
id- API - logtype
1 - login - process
1 - logout - process
1 - init - entry
I want to add a new field called parentAPI, based on the API with the same id and logtype "entry". The expected results are:
{
"id" => 1,
"API" => "login",
"logtype" => "process",
"parentAPI" => "init"
}
{
"id" => 1,
"API" => "logout",
"logtype" => "process",
"parentAPI" => "init"
}
{
"id" => 1,
"API" => "init",
"logtype" => "entry",
"parentAPI" => "init"
}
The challenge here is that the entry logs may come after other logs. I have a working solution for the case where entry logs always come first:
filter {
grok {
match => [ "message", "%{WORD:id} - %{WORD:API} - %{WORD:logtype}" ]
}
if [logtype] == "entry" {
aggregate {
task_id => "%{id}"
code => "map['parentAPI'] = event.get('API'); event.set('parentAPI', map['parentAPI'])"
map_action => "create"
}
}
if [logtype] != "entry" {
aggregate {
task_id => "%{id}"
code => "event.set('parentAPI', map['parentAPI'])"
map_action => "update"
timeout => 600
}
}
}
output {
stdout { codec => rubydebug }
}