Aggregate logs without special pattern or "flag" for the last of the group

Akita · June 22, 2016, 9:03am

I managed to find something, inspired by this usecase: Filter Plugin: Elasticsearch

It's using the ruby plugin and it should probrably be optimised. I changed my strategy since my first post.

filter {
ruby{
    init => "
        @@map ={}
        @@map['list_of_values_for_this_group'] = []
        @@map['group_of_previous_event'] = 'start'
        "
    code => "
        @@map['current_group'] = event['group_id']    
        if (@@map['group_of_previous_event'] != 'start' && @@map['group_of_previous_event'] != @@map['current_group'])  #if it's not the first event and if we just changed group, then reset the list
            @@map['list_of_values_for_this_group'] = []
        end
        @@map['list_of_values_for_this_group'].push(event['value']) #put the new value in the list
        event['values']=@@map['list_of_values_for_this_group'] #we need to publish the list at each event to avoid the last one to be lost
        @@map['group_of_previous_event'] = event['group_id']
    "
}
}

output {
elasticsearch {
  action =>"update"
  doc_as_upsert =>true
  index => "my_index"
  document_id => "%{group_id}" #each new event of a group updates the previous one
}
}

Hope it helps someone.

Topic		Replies	Views
Aggregate similar Logs Logstash	3	326	May 20, 2022
Agrregate Filter For each Logstash	1	538	December 7, 2016
Logstash Aggregate copy last Event to Map Logstash	4	1424	November 4, 2020
Aggregate log information Logstash	2	439	January 17, 2017
Logstash Aggregate with multiple end tags Logstash	6	595	June 14, 2020

Aggregate logs without special pattern or "flag" for the last of the group

Related topics