Aggregate filter (Combine Logs)

Yimjunhyeok · March 21, 2018, 7:22am

Hello..

I have a trouble making 1 log with 2 events.

1521537121385|172.16.130.205|First
1521537121385|172.16.130.205|Second
1521537121386|172.16.130.205|Third
(LastSessionTime)(SrcIP)(ExtractedText)

Then i want to make combined log (ExtractedText + ExtractedText ==> FullContent)

==>
1521537121385|172.16.130.2015|FirstSecond

aggregate{
task_id => "%{LastSessionTime}"
code => "
map['LastSessionTime'] = event.get('LastSessionTime')
map['FullContent'] ||= []
map['FullContent'] << {'ExtractedText' => event.get('ExtractedText')}
event.cancel()
"
push_previous_map_as_event => true
timeout => 3
map_action => "update"
}

But i can't see the "FullContent" Column in Kibana.

Who knows the solution?

Yimjunhyeok · March 27, 2018, 8:13am

		if "1" == [DivideStatus]  {
         aggregate {
            task_id => "%{SavedFileName}"
            code => "map['FullContent'] ||= '' ; map['FullContent'] += event.get('FileExtractText')"
            map_action => "create"
			}
		}
		if "2" == [DivideStatus] {
         aggregate {
            task_id => "%{SavedFileName}"
            code => "map['FullContent'] += event.get('FileExtractText')"
            map_action => "update"
            }
		}
		if "3" == [DivideStatus] {
		aggregate {
            task_id => "%{SavedFileName}"
            code => "map['FullContent'] += event.get('FileExtractText')
					event.set('FullContent', map['FullContent'])"
			map_action => "update"
			end_of_task => true
			timeout => 600
            timeout_tags => ["aggregate_timeout"]
            }
		}

system · April 24, 2018, 8:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.