Aggregate Performing Unpredictably

NomadicCodeGuy · October 7, 2020, 7:38pm

I am using the aggregate filter plugin to copy a field to all entries from the same file path that have a "nil" entry for that field. It works perfectly for around 95 percent of the time. The strange thing is that with exactly the same .conf file settings and using the same training data, a different number of fields are successfully copied each time. I'm sure there is some underlying issue with my implementation but I am not seeing it myself. Here is the settings I am using for my aggregate filter plugin. Note that the entries that have the scenario data always come before the nil scenarios.

if [scenario] != ""  #scenario field detected, add to map for that file path
{
	aggregate 
	{
		 task_id => "%{[log][file][path]}"
		 code => "map['scenario'] = event.get('scenario')"
	}
}
if [scenario] == "" #nil scenario detected, add mapped data to it's scenario field
{
	aggregate 
	{
		 task_id => "%{[log][file][path]}"
		 code => "event.set('scenario', map['scenario'])"
	}
}

Badger · October 7, 2020, 7:57pm

You have set pipeline.workers to 1, right?

NomadicCodeGuy · October 7, 2020, 8:05pm

Yes. I was able to fix the issue by switching to this aggregate filter configuration using if-else instead of two independent if's.

if [scenario] #scenario field detected, add to map for that file path
	{
		aggregate 
		{
		 task_id => "%{[log][file][path]}"
		 code => "map['scenario'] = event.get('scenario')"
		}
	}
else #add map data to it's scenario field
	{
		aggregate 
		{
		 task_id => "%{[log][file][path]}"
		 code => "event.set('scenario', map['scenario'])"
		}
	}

system · November 4, 2020, 8:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.