Aggregate filter plugin

pero · July 31, 2023, 3:25pm

I have these two json documents

Document 1 is

{
  "_index": "auditbeat-2023.07.31",
  "_type": "_doc",
  "_id": "KhknrIkBBEGDHOFEynSE",
  "_version": 1,
  "_score": null,
  "_source": {
    "ecs": {
      "version": "1.1.0"
    },
    "@version": "1",
    "my_client_ip": "%{[system][socket][client][ip]}",
    "my_newfield1": "%{my_newfield}",
    "tag_1": "beats123",
    "agent": {
      "ephemeral_id": "de04927d-1df2-4c28-9831-e234b8239c26",
      "hostname": "userB",
      "type": "auditbeat",
      "id": "1b2ffabb-287b-4a21-8e9e-7886e49673b0",
      "version": "7.4.1"
    },
    "signature": "auditbeat",
    "message": "Process sendmail-mta (PID: 20289) by user root STARTED",
    "@timestamp": "2023-07-31T13:33:49.143Z",
    "cloud": {
      "machine": {
        "type": "standard.medium"
      },
      "instance": {
        "id": "i-0000021a",
        "name": "default0-p0000000044-s0000000048-userb.novalocal"
      },
      "provider": "openstack",
      "availability_zone": "nova"
    },
    "application": "auditbeat",
    "user": {
      "saved": {
        "id": "0",
        "group": {
          "id": "119"
        }
      },
      "name": "root",
      "group": {
        "id": "0",
        "name": "root"
      },
      "id": "0",
      "effective": {
        "id": "0",
        "group": {
          "id": "119"
        }
      }
    },
    "tag_2": "beats_input_codec_plain_applied",
    "host": {
      "name": "userB",
      "hostname": "userB",
      "containerized": false,
      "architecture": "x86_64",
      "os": {
        "name": "Ubuntu",
        "platform": "ubuntu",
        "version": "14.04.6 LTS, Trusty Tahr",
        "codename": "trusty",
        "kernel": "3.13.0-24-generic",
        "family": "debian"
      },
      "id": "26b1ceca54c197067320f0bf634024c6"
    },
    "process": {
      "name": "sendmail-mta",
      "ppid": 2387,
      "start": "2023-07-31T13:33:42.190Z",
      "entity_id": "TP065Y1SDJ30ZqCD",
      "args": [
        "sendmail: MTA: 36VDXgjq020289 localhost [127.0.0.1]: MAIL FROM"
      ],
      "hash": {
        "sha1": "59a52509020b6fe10ac9585453c9138732879b7f"
      },
      "working_directory": "/var/spool/mqueue",
      "pid": 20289,
      "executable": "/usr/lib/sm.bin/sendmail"
    },
    "service": {
      "type": "system"
    },
    "event": {
      "kind": "event",
      "module": "system",
      "dataset": "process",
      "action": "process_started"
    }
  },
  "fields": {
    "@timestamp": [
      "2023-07-31T13:33:49.143Z"
    ],
    "process.start": [
      "2023-07-31T13:33:42.190Z"
    ]
  },
  "highlight": {
    "event.module": [
      "@kibana-highlighted-field@system@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1690810429143
  ]
}

Document 2 is

{
  "_index": "auditbeat-2023.07.31",
  "_type": "_doc",
  "_id": "aRlFrIkBBEGDHOFEcKA2",
  "_version": 1,
  "_score": null,
  "_source": {
    "event": {
      "action": "connected-to",
      "module": "auditd",
      "outcome": "success",
      "category": "audit-rule"
    },
    "ecs": {
      "version": "1.1.0"
    },
    "auditd": {
      "data": {
        "a0": "5",
        "tty": "(none)",
        "arch": "x86_64",
        "a1": "1c61150",
        "syscall": "connect",
        "a3": "d866133124f88",
        "socket": {
          "addr": "10.0.2.24",
          "port": "53",
          "family": "ipv4"
        },
        "exit": "0",
        "a2": "10"
      },
      "sequence": 4192387,
      "result": "success",
      "message_type": "syscall",
      "summary": {
        "how": "/usr/lib/sm.bin/sendmail",
        "actor": {
          "secondary": "root",
          "primary": "unset"
        },
        "object": {
          "secondary": "53",
          "primary": "10.0.2.24",
          "type": "socket"
        }
      }
    },
    "my_client_ip": "%{[system][socket][client][ip]}",
    "network": {
      "direction": "outgoing"
    },
    "agent": {
      "ephemeral_id": "de04927d-1df2-4c28-9831-e234b8239c26",
      "type": "auditbeat",
      "hostname": "userB",
      "id": "1b2ffabb-287b-4a21-8e9e-7886e49673b0",
      "version": "7.4.1"
    },
    "@version": "1",
    "signature": "auditbeat",
    "tag_1": "external-access",
    "tag_3": "beats_input_raw_event",
    "@timestamp": "2023-07-31T14:06:12.128Z",
    "user": {
      "name": "root",
      "group": {
        "id": "0",
        "name": "root"
      },
      "saved": {
        "name": "root",
        "group": {
          "id": "119",
          "name": "smmsp"
        },
        "id": "0"
      },
      "filesystem": {
        "name": "root",
        "group": {
          "id": "119",
          "name": "smmsp"
        },
        "id": "0"
      },
      "id": "0",
      "effective": {
        "name": "root",
        "group": {
          "id": "119",
          "name": "smmsp"
        },
        "id": "0"
      }
    },
    "cloud": {
      "machine": {
        "type": "standard.medium"
      },
      "instance": {
        "id": "i-0000021a",
        "name": "default0-p0000000044-s0000000048-userb.novalocal"
      },
      "provider": "openstack",
      "availability_zone": "nova"
    },
    "application": "auditbeat",
    "tag_2": "beats123",
    "host": {
      "hostname": "userB",
      "name": "userB",
      "containerized": false,
      "architecture": "x86_64",
      "os": {
        "name": "Ubuntu",
        "platform": "ubuntu",
        "version": "14.04.6 LTS, Trusty Tahr",
        "codename": "trusty",
        "kernel": "3.13.0-24-generic",
        "family": "debian"
      },
      "id": "26b1ceca54c197067320f0bf634024c6"
    },
    "service": {
      "type": "auditd"
    },
    "process": {
      "executable": "/usr/lib/sm.bin/sendmail",
      "name": "sendmail-mta",
      "pid": 21089,
      "ppid": 2387
    },
    "my_newfield": "10.0.2.24",
    "destination": {
      "port": "53",
      "ip": "10.0.2.24"
    }
  },
  "fields": {
    "@timestamp": [
      "2023-07-31T14:06:12.128Z"
    ]
  },
  "highlight": {
    "event.module": [
      "@kibana-highlighted-field@auditd@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1690812372128
  ]
}

How do I use aggregate filter to combine both documents into one single document

I will really appreciate any help on this please
Regards
Pero

Badger · July 31, 2023, 7:22pm

What field tells you that the two documents should be combined?

pero · July 31, 2023, 8:06pm

I want to combine the fields of both documents and just have a single document. Is this possible?

system · August 28, 2023, 8:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash - Aggregate Filter Logstash	3	3031	December 15, 2017
Merge message with aggregate filter Logstash	10	1198	May 12, 2021
Aggregate filter logstash- pulling field from another event Logstash	1	962	September 28, 2018
Aggregate filter plugin output in a single document - Logstash Logstash	2	367	February 14, 2022
I am trying to pick a field from one event to another using aggregation filter Logstash	2	212	August 14, 2021

Aggregate filter plugin

Related topics