Hi. I am new to using the Aggregate filter. What I have is rsyslog data coming from an ntopng system. I need to aggregate when a network device disconnects and then reconnects to determine the duration of the disconnect.
This is what I have.
if [DeviceStatus] == "disconnected" {
aggregate {
task_id => "%{macadd}"
code => "map['NewTimestamp'] = 0"
map_action => "create"
}
}
if [DeviceStatus] == "connected" {
aggregate {
task_id => "%{macadd}"
code => "map['NewTimestamp'] += event.get{'duration'}"
map_action => "update"
end_of_task => true
timeout => 120
}
}