Need to use multiple events and build single aggregated event based on session id to send to ES
Here is how data looks like:
session open for user abc (session id :1)
session open for user bbc (session id :2)
....some operation by user abc (session id :1)
....some openration by user bbc (session id :2)
session closed for user abc (session id :1)
...some operation by user bbc (session id :2)
session closed for user bbc (session id :2)
Am using aggregate filter. Also specified event.cancel() for non final events.
Know the start and end events . Have set pipeline workers as 1
It has grok plugin to fetch basic field to differentiate start, middle and end events
start aggregate plugin with event.cancel(), code, taskid, map settings
Another grok on basic field to fetch the specific operations and fill the map
Based on operations, multiple aggregate filters with event.cancel() in each and map_action "update"
Then a final aggregate filter for final event based on basic grok parsed field.
including below
map_action => "update"
end_of_task => true
Haven't set any timeout related fields as not needed as of now.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
