I need to combine "errorInfo" fields of events that share nothing in common except for their file path. The field "log.file.path" exists as a field for my data in kibana but am not sure if a field needs to be explicitly declared in my logstash configuration to use it as a task_id for aggregations. I would like to do something like this:
aggregate {
task_id => "%{log.file.path}"
code => "map['combinedInfo' ||= ""; map['combinedInfo'] += event.get('errorInfo')"
push_map_as_event_on_timeout => true
timeout_task_id_field => "log.file.path"
timeout => 300
timeout_tags => ['_aggregatetimeout']
}
But am unsure how to deal with using file path as a task_id or how to concatenate two string fields in the "code" setting in the aggregate filter plugin. Thanks for your help and guidance.