Aggregate filter does not create a value in the output

ozmhsh · February 22, 2019, 11:35am

In my aggregate filter, I would expect to create new output values 'StartTime' and 'EndTime', by using the timestamp 'tmstp' value of the Start Event and End Event. As following:

   if [Status] == "Start" {
   
      aggregate {
       task_id => "%{ThreadName}"
       code => "map['StartTime'] ||= event.get('tmstp')"
       map_action => "create"
	    add_tag => ["grokked", "Drop"]
     }
                     
   }

 
	
    if [Status] == "End" {
	
	 aggregate {
       task_id => "%{ThreadName}"
       code => "event.set('EndTime', event.get('tmstp'))"     **-------> This line is not working as expected. In the output event, I can see the value for 'tmstp' but there is no output entry for 'EndTime'.**
	   map_action => "update"
       end_of_task => true
       timeout => 120
			}	
    }

Any idea?

Badger · February 22, 2019, 1:52pm

What does the data look like? Does the "End" line contain ThreadName? If not, the aggregate will do nothing.

ozmhsh · February 22, 2019, 8:22pm

I can see the output generated by the End event, just that EndTime attribute is not shown.

Topic		Replies	Views
Aggregate filter not run at all Logstash	4	1169	July 6, 2017
Help with Aggregate filter Logstash	4	312	March 25, 2022
Logstash aggregate filter not working Logstash	2	966	January 11, 2017
Aggregate events with START but no END Logstash	1	568	March 15, 2017
[Logstash] Aggregate filter - no timeout Logstash	7	826	August 19, 2021

Aggregate filter does not create a value in the output

Related topics