Copy last uuid value in the configuration

et159 · February 2, 2019, 4:10pm

Hello,
I'm new to ELK , I have a grok filter to parse logs , I added tags as process started and process ended to calculate the session length for each connection,
but the session had no session ID , is i generated uuid to be added, but the problem elapsed plugin need two tags with the same uuid to calculate the session time,
how can I add the same uuid to two different msgs ??

my configuration is looks like below

grok {
match => msg1 { add_tag => ["sessionStart"]
}

if [_grokfailer] in [tags] {
remove_tag=> [_grokfailuer]
}

match => msg2 { add_tag => ["sessionEnd"]
}


if ["sessionStart"] or ["sessionEnd"] in [tags] {
uuid {
tagrget => "sessionID"}
}

}

but this will create different uuid in each session start or end, and I need them to be the same,
any thoughts ? thanks in advance

Badger · February 2, 2019, 4:19pm

Do the events strictly alternate start / end / start / end / start end? If not, how do you know which pairs of events go together?

et159 · February 2, 2019, 4:21pm

yes, it comes from one source , with clear pattern start/end, and the tags added perfectly , for each pair, just need to solve the uuid issue,

Badger · February 2, 2019, 4:42pm

Something like this should get you started.

input { generator { count => 1 lines => [ 'a1', 'b1', 'a2', 'b2' ] } }
filter {
    if [message] =~ /^a/ {
        #start
        mutate { add_tag => ["sessionStart"] }
        fingerprint { target => "uuid" }
        ruby { code => '@@uuid = event.get("uuid")' }
    } else {
        #end
        mutate { add_tag => ["sessionEnd"] }
        ruby { code => 'event.set("uuid", @@uuid)' }
    }
}
output { stdout { } }

system · March 2, 2019, 4:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.