Hi,
In stdout i'm able to see the Aggregate events got printed, but not able to see in elasticsearch index.
logstash conf:
filter {
if [user.id] != "" and [user.id] != 'null' and [user.id] != 'error' {
aggregate {
task_id => "%{user.id}_%{+d}_%{+MMM}"
code => "
if(event.get('user.id') != 'error')
map['sdfilesize'] ||= 0 ;
fileSize = event.get('file.size')
if fileSize
map['sdfilesize'] += event.get('file.size');
end
map['user.id'] ||= 0 ;
map['user.id'] = event.get('user.id');
map['incident_creation_date'] ||= 0 ; map['incident_creation_date'] = event.get('incident_creation_date');
map['user.business_unit'] ||= 0 ; map['user.business_unit'] = event.get('user.business_unit');
map['user.full_name'] ||= 0 ; map['user.full_name'] = event.get('user.full_name');
map['recipient_identifier'] ||= [] ; map['recipient_identifier'] << event.get('recipient_identifier');
map['file.extension'] ||= [] ; map['file.extension'] << event.get('file.extension');
map['user.department'] ||= 0 ; map['user.department'] = event.get('user.department');
end"
push_map_as_event_on_timeout => true
timeout_task_id_field => "sdf"
timeout => 300
inactivity_timeout => 120
timeout_tags => ['_aggregatetimeout']
}
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
ssl => true
ssl_certificate_verification => false
hosts => "<url>"
user => "logstash"
password => "logstash"
index => "testidx-%{+YYYY.MM}"
document_id => "%{id}"
routing => "%{user.id}"
}
}