Another Aggregate filter issue

Hi. I am new to using the Aggregate filter. What I have is rsyslog data coming from an ntopng system. I need to aggregate when a network device disconnects and then reconnects to determine the duration of the disconnect.

This is what I have.
if [DeviceStatus] == "disconnected" {
aggregate {
task_id => "%{macadd}"
code => "map['NewTimestamp'] = 0"
map_action => "create"
}
}

    if [DeviceStatus] == "connected" {
      aggregate {
        task_id => "%{macadd}"
        code => "map['NewTimestamp'] += event.get{'duration'}"
        map_action => "update"
        end_of_task => true
        timeout => 120
     }
    }

Aug 19 22:37:00 ntopng-eq ntopng: [Alert] The device href="/lua/mac_details.lua?host=00:0C:29:20:38:BC">OnclaveOSSIM.onclave.net has disconnected from the network.

this is the syslog message that I am trying to use as the start of a task. The mac address has a potential to be one of 1000+ devices. I am trying to calculate duration between a device disconnecting and when it reconnects (if at all).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.