Aggregate filter does not create a value in the output

ozmhsh · February 22, 2019, 11:35am

In my aggregate filter, I would expect to create new output values 'StartTime' and 'EndTime', by using the timestamp 'tmstp' value of the Start Event and End Event. As following:

   if [Status] == "Start" {
   
      aggregate {
       task_id => "%{ThreadName}"
       code => "map['StartTime'] ||= event.get('tmstp')"
       map_action => "create"
	    add_tag => ["grokked", "Drop"]
     }
                     
   }

 
	
    if [Status] == "End" {
	
	 aggregate {
       task_id => "%{ThreadName}"
       code => "event.set('EndTime', event.get('tmstp'))"     **-------> This line is not working as expected. In the output event, I can see the value for 'tmstp' but there is no output entry for 'EndTime'.**
	   map_action => "update"
       end_of_task => true
       timeout => 120
			}	
    }

Any idea?

Badger · February 22, 2019, 1:52pm

What does the data look like? Does the "End" line contain ThreadName? If not, the aggregate will do nothing.

ozmhsh · February 22, 2019, 8:22pm

I can see the output generated by the End event, just that EndTime attribute is not shown.

system · March 22, 2019, 8:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.