Aggegation of log lines

Elastic Stack Logstash
1

I would like to aggregate the below 3 lines (everything same except timestamp)

04/13/2018 19:31:20 [ACPServerThread_226] VERBOSE SERVER - ::ACPSCConnectionResponder::SiteController Connection Accepted for SiteControllerIP= 172.168.1.134 , SiteControllerId= 1
    04/13/2018 19:32:20 [ACPServerThread_226] VERBOSE SERVER - ::ACPSCConnectionResponder::SiteController Connection Accepted for SiteControllerIP= 172.168.1.134 , SiteControllerId= 1
    04/13/2018 19:35:20 [ACPServerThread_226] VERBOSE SERVER - ::ACPSCConnectionResponder::SiteController Connection Accepted for SiteControllerIP= 172.168.1.134 , SiteControllerId= 1

as(message with the count)

04/13/2018 19:35:20 [ACPServerThread_226] VERBOSE SERVER - ::ACPSCConnectionResponder::SiteController Connection Accepted for SiteControllerIP= 172.168.1.134 , SiteControllerId= 1,count=3

Below is my configuration which is not working.

input { 
	file {
    		path => "C:/poc/*.log"
			start_position => "beginning"
    		codec => multiline {
				patterns_dir => ["./patterns"]
				pattern => "^%{PANACES_DATE}"
				negate => true
				what => previous
			}
		}
	
}

filter {
	if ([message] =~ "SiteController Connection Accepted for SiteControllerIP="){
        grok {
		patterns_dir => ["./patterns"]
		match => { "message" => "%{PANACES_DATE:log_date}%{SPACE}\[%{GREEDYDATA:threadname}\]%{SPACE}%{WORD:module}%{SPACE}%{WORD:submodule}%{SPACE}[\-]%{SPACE}::%{WORD:classname}::%{DATA:log_message}%{SPACE}%{IP:siteControllerIP}%{SPACE}[\,]%{SPACE}%{WORD:siteControllerIDKey}[\=]%{SPACE}%{NUMBER:siteControllerID}" }
		}
		aggregate {
       task_id => "%{threadname}"
	   code => "map['count'] ||= 0 ; 
				map['count'] +=1;
				map['message'] = event.get('message');"
				push_map_as_event_on_timeout => true
				timeout_task_id_field => "threadname"
				timeout => 60 
		
     }
   }
	else{	
		drop { }
	}
	date {
		match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
	}
}

output {
  elasticsearch { 
	hosts => ["localhost:9200"] 
	index => "agentlogs21"
		}
  stdout { codec => json}
}
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.