Aggregate filter works in Logstash 6.8 but not in 7.4

Elastic Stack Logstash
1

Hello Team,

I have a pipeline with aggregate filter ( with "start event" and "end event"). This pipeline works perfect in logstash version 6.8 and the output contains a map with my values

Output in Logstash 6.8:

"Checks": [{
		"Check": {
			"data": " Estado de la instancia",
			"result": "OK"
		}
	},
	{
		"Check": {
			"data": " Numero de filesystems criticos por encima del umbral recomendado: 0",
			"result": "OK"
		}
	},
	{
		"Check": {
			"data": " Memoria del servidor 1633(5%) por debajo del 90% del total: 32388",
			"result": "OK"
		}
	},
	{
		"Check": {
			"data": " Conexiones actuales: 20: por debajo del 80% de las maximas: 3256",
			"result": "OK"
		}
	}],
	"@version": "1",
	"Test": "Test",
	"group": "DataBase",
	"servr": "XXXXXXX",
	"app": "XXXXXX",
	"tier": "XXXXXX",
	"@timestamp": "2020-04-30T07:42:01.516Z"
}

Attach my code in pipeline:

 if [log] =~ /^Script.*/ or [log] =~ /^INICIO.*/ or [log] =~ /^SCRIPT.*/ or [log] =~ /^Inicio.*/ {
      mutate{
         add_field => { "Test" => "Test" }
      }
      aggregate {
          task_id => "%{Test}"
          code =>"
                map['Checks']||= []
                event.cancel()
          "
          map_action => "create"
     }
 } else if [log] =~ /^FIN .*/ or [log] =~ /^Fin .*/ {
       mutate{
          add_field => {"Test" => "Test" }
       }
       aggregate {
          task_id => "%{Test}"
          code => "event.set('Checks',map['Checks'])"
          map_action => "update"
          end_of_task => true
          timeout => 3
       }
 }else if [log] =~ /^OK: .*/ or [log] =~ /^ERROR: .*/ or [log] =~ /^WARNING: .*/ {
       mutate{
          add_field => { "Test" => "Test" }
      }
      mutate {
                split => { "log" => ":" }
                add_field => {"[Check][result]" => "%{[log][0]}" }
      }
      ruby{
          code => "info  = event.get('[log]')
                   event.set('[Check][data]',info[1..-1])
                  "
      }
      mutate{
          gsub => [
                  "[Check][data]", "," , ":"
          ]
      }
      mutate{
          join => {"[Check][data]" => ":" }
      }
    aggregate {
       task_id => "%{Test}"
       code => "
                map['Checks'] << {'[Check]' =>event.get('[Check]') }
                event.cancel()
               "
        map_action => "update"
    }

However in Logstash version 7.4 or superior my pipeline doesn't work. In my output doesn't appear a map called "Checks". It's like the pipeline doesn't create a map in the start event ( skip this actions map['Checks']||= ; event.cancel() ) or in end event not execute this action ( code => "event.set('Checks',map['Checks'])")

Only in one event create a map called Checks but is empty. The other events don't contains a map

Output in Logstash 7.4:

{
	"absolute_time": "2020-04-29T16:00:41Z",
	"Checks": [],   ---- It's empty
	"tier": "XXXXX",
	"@version": "1",
	"app": "XXXXXX",
	"@timestamp": "2020-04-29T16:40:01.484Z",
	"group": "DataBase",
	"Test": "Test",
	"servr": "XXXXX"
}
{
	"absolute_time": "2020-04-29T16:00:42Z",
	"@timestamp": "2020-04-29T16:40:01.484Z",
	"@version": "1",
	"log": "Script chequeo X@XXXX@X@XXX",
	"group": "DataBase",
	"Test": "Test"
}

I don't understand why occurs this.

I am grateful for all suggestions

Kind Regards

2

This could be because logstash is not maintaining the order of events. Make sure you disable java_execution in addition to setting pipeline.workers to 1.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.