Combining 3 logs into one

Elastic Stack Logstash
1

I have this 3 events logs that are almost the same.
I want to combine the 3 events logs into one log but somehow it won't work.

this is my filter

aggregate {
            task_id => "%{_id}"
            code => "
	        map['_id'] |= event.get('_id')
	        map['@timestamp'] ||= event.get('@timestamp')
            map['event.code'] ||= event.get('event.code')
            map['message'] ||= event.get('message')
            "
            push_map_as_event_on_timeout => true
	        timeout_task_id_field => "[event][code]"
            timeout_tags => ["_aggregatetimeout"]
        }

my logs

{
  "_index": "my-index-stream",
  "_id": "OYqGcIkBvfUgyojT0iLn",
  "_version": 1,
  "_score": 0,
  "_source": {
    "event": {
      "original": "4624 An account was successfully logged on",
      "action": "Logon",
      "kind": "event",
      "code": "4624",
      "outcome": "success",
      "created": "2023-07-19T23:40:30.258Z"
    },
    "host": {},
    "log": {
      "level": "information"
    },
    "machine": "false",
    "message": "4624 An account was successfully logged on",
    "agent": {
      "type": "winlogbeat",
      "name": "Test-Server"
    },
    "winlog": {
      "process": {
        "thread": {},
        "pid": 612
      },
      "event_data": {}
    },
    "@timestamp": "2023-07-19T23:40:28.421Z",
    "ecs": {}
  },
  "fields": {
    "log.level.keyword": [
      "information"
    ],
    "event.original": [
      "4624 An account was successfully logged on"
    ],
    "agent.name.keyword": [
      "Test-Server"
    ],
    "event.outcome.keyword": [
      "success"
    ],
    "event.code.keyword": [
      "4624"
    ],
    "message": [
      "4624 An account was successfully logged on"
    ],
    "winlog.process.pid": [
      612
    ],
    "machine.keyword": [
      "false"
    ],
    "agent.type": [
      "winlogbeat"
    ],
    "event.action": [
      "Logon"
    ],
    "event.code": [
      "4624"
    ],
    "@timestamp": [
      "2023-07-19T23:40:28.421Z"
    ],
    "machine": [
      "false"
    ],
    "event.original.keyword": [
      "4624 An account was successfully logged on"
    ],
    "event.created": [
      "2023-07-19T23:40:30.258Z"
    ],
    "message.keyword": [
      "4624 An account was successfully logged on"
    ],
    "event.kind.keyword": [
      "event"
    ],
    "log.level": [
      "information"
    ],
    "agent.name": [
      "Test-Server"
    ],
    "event.action.keyword": [
      "Logon"
    ],
    "event.kind": [
      "event"
    ],
    "agent.type.keyword": [
      "winlogbeat"
    ],
    "event.outcome": [
      "success"
    ]
  }
}

Can somebody tell me where it wrong? I am new here in ELK.

2

Hello,

You need to provide more context, like what is your input, what other filters you have, what are the other logs, you only shared just one log, you need to provide the 3 logs you want to aggregate and your pipeline so people can try to simulate it.

Also, task_id in the aggregate filter needs to be the identifier that will be the same in all events that you want to aggregate, you didn't share what is your source of data, but if the _id field is coming from logstash it will be unique for each event.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.