Aggregate filter (Combine Logs)

Yimjunhyeok · March 21, 2018, 7:22am

Hello..

I have a trouble making 1 log with 2 events.

1521537121385|172.16.130.205|First
1521537121385|172.16.130.205|Second
1521537121386|172.16.130.205|Third
(LastSessionTime)(SrcIP)(ExtractedText)

Then i want to make combined log (ExtractedText + ExtractedText ==> FullContent)

==>
1521537121385|172.16.130.2015|FirstSecond

aggregate{
task_id => "%{LastSessionTime}"
code => "
map['LastSessionTime'] = event.get('LastSessionTime')
map['FullContent'] ||= []
map['FullContent'] << {'ExtractedText' => event.get('ExtractedText')}
event.cancel()
"
push_previous_map_as_event => true
timeout => 3
map_action => "update"
}

But i can't see the "FullContent" Column in Kibana.

Who knows the solution?

Yimjunhyeok · March 27, 2018, 8:13am

		if "1" == [DivideStatus]  {
         aggregate {
            task_id => "%{SavedFileName}"
            code => "map['FullContent'] ||= '' ; map['FullContent'] += event.get('FileExtractText')"
            map_action => "create"
			}
		}
		if "2" == [DivideStatus] {
         aggregate {
            task_id => "%{SavedFileName}"
            code => "map['FullContent'] += event.get('FileExtractText')"
            map_action => "update"
            }
		}
		if "3" == [DivideStatus] {
		aggregate {
            task_id => "%{SavedFileName}"
            code => "map['FullContent'] += event.get('FileExtractText')
					event.set('FullContent', map['FullContent'])"
			map_action => "update"
			end_of_task => true
			timeout => 600
            timeout_tags => ["aggregate_timeout"]
            }
		}

Topic		Replies	Views
Combining 3 logs into one Logstash	2	258	August 17, 2023
Combine 2 events into one Logstash	2	4152	February 8, 2017
Join two log files in logstash conf Logstash	16	1626	July 8, 2020
Join two log files using aggregate filter of logstash to enter combined event in kibana Logstash	1	294	July 8, 2020
Combining two events in one Logstash	9	9766	July 6, 2017

Aggregate filter (Combine Logs)

Related topics