Hi Everyone,
I am sorry if I'm posting this in the wrong place. I have an issue with logstash aggregate filter which has been on going for 2 weeks now.
I am a java developer, so dont understand much of ruby. The challenge I am facing is, I get log alerts every often, so I want all log within 2mins to be aggregated as a single event, with my current configuration I only receive a single alert every 2mins, if more than one alert occur only one is sent. I would let all alerts aggregated as one event. Below is the snippet of the filter Im using. Please I need some help, thank you .
filter {
if "Alert" in [message] {
aggregate {
task_id => "%{source}"
code => "map['alerts'] = event.get('message')"
map_action => "create_or_update"
push_map_as_event_on_timeout => true
timeout => 120
timeout_tags => ['aggregated']
}
if "aggregated" not in [tags] {
drop{}
}
} else {
drop{}
}
}