Aggregate filter with timeout_timestamp_field

lakshmi-github · August 14, 2018, 12:15am

Hello,

I am trying to get a count of certain log events aggregated by minute where the timestamp should be based on a date-time string in the log. Based on the documentation for aggregation, here is what I have so far.

Sample input log entries:

20180809-031301 Got a message
20180809-031331 Got a message
20180809-031401 Got a message
20180809-031431 Got a message

I would like logstash to show 2 messages each for minutes 20180809-0313 and 20180809-0314. This is US/Pacific time, in the logstash config below I convert these to UTC, save it to an event field and specify this field as the timeout_timestamp_field.

l.conf:

input {
  stdin { }
}

filter {
  grok {
    match => { "message" => "(?<logminute>^\d{8}-\d{4})\d{2}\s+Got a message.*" }
  }

  ruby {
   code  => '
     require "tzinfo"
     t = Time.strptime(event.get("logminute") + "00", "%Y%m%d-%H%M%S")
     fromTZ = TZInfo::Timezone.get("US/Pacific")
     t_utc = fromTZ.local_to_utc(Time.new(t.year, t.month, t.day, t.hour, t.min, t.sec))
     event.set("logminute_utc", t_utc)
   '
  }

  aggregate {
    task_id => "%{logminute}"
    code => "map['cnt'] ||= 0; map['cnt'] += 1;"
    push_map_as_event_on_timeout => true
    timeout_tags => ['_aggregatetimeout']
    timeout => 60
    timeout_timestamp_field => "logminute_utc"
    timeout_code => '
      event.set("minute_rolled_over", "yes")
    '
  }

  mutate {
    remove_field => [ "@timestamp", "host", "@version" ]
  }
}

output {
  #if "_aggregatetimeout" in [tags] {
  stdout { codec => rubydebug }
  #}
}

I ran this with logstash-6.3.1 and only got the 4 events and no aggregation event.

{
    "logminute_utc" => 2018-08-09T10:14:00.000Z,
        "logminute" => "20180809-0314",
          "message" => "20180809-031401 Got a message"
}
{
    "logminute_utc" => 2018-08-09T10:14:00.000Z,
        "logminute" => "20180809-0314",
          "message" => "20180809-031431 Got a message"
}
{
    "logminute_utc" => 2018-08-09T10:13:00.000Z,
        "logminute" => "20180809-0313",
          "message" => "20180809-031301 Got a message"
}
{
    "logminute_utc" => 2018-08-09T10:13:00.000Z,
        "logminute" => "20180809-0313",
          "message" => "20180809-031331 Got a message"
}

Can you help with what I may be missing here.

Thanks in advance.

Lakshmi.

Badger · August 14, 2018, 12:37am

Did you actually wait the 60 seconds for the timeouts to occur? Try it with a shorter timeout.

You probably want to add

timeout_task_id_field => "logminute"

I don't think timeout_timestamp_field does what you think it does, but I could be wrong on both of those "think" items

You may or may not want to add "event.cancel;" to the code option on the aggregate.

lakshmi-github · August 14, 2018, 5:18am

I'm parsing old logs aggregated by 60 seconds worth of log entries as determined by log time stamp, so I figured I'd need the timeout_timestamp_field and 60 second timeout.

And for current logs also I am trying to link the aggregation interval to the log time stamp rather than system time, hence the need for timeout_timestamp_field.

At least this is my understanding from Elastic's documentation, https://www.elastic.co/guide/en/logstash/current/plugins-filters-aggregate.html

Perhaps I'm missing something else.

system · September 11, 2018, 5:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Aggregate filter timeout by event timestamp rather than by system time Logstash	1	552	July 6, 2017
Aggregate Filter does not work with OLD log files Logstash	1	433	October 9, 2018
Logstash aggregate field and increase count Logstash	4	1653	August 20, 2021
Problem using timeout_timestamp_field in the aggregate filter Logstash	3	539	May 16, 2019
Aggregation filter timeout settings Logstash	5	2097	September 23, 2019

Aggregate filter with timeout_timestamp_field

Related topics