Correlate log using logstash aggregate plugin

lusynda · February 18, 2022, 10:19am

Hi all
I'm trying to correlate multiple log file into 1 log message send to elastic using aggregate plugin in logstash.

2022-02-18T09:51:25.528Z,mail-srv\Client mail-srv,08D9DD5FF4988FD5,37,192.168.1.1:587,192.168.2.2:60095,*,,User Name: NULL
2022-02-18T09:51:25.528Z,mail-srv\Client mail-srv,08D9DD5FF4988FD5,19,192.168.1.1:587,192.168.2.2:60095,>,235 2.7.0 Authentication successful,

Now i want to from same id 08D9DD5FF4988FD5 i can get this two log messge into 1 log message like this

2022-02-18T09:51:25.528Z,mail-srv\Client mail-srv,08D9DD5FF4988FD5,37,192.168.1.1:587,192.168.2.2:60095,User Name: NULL,235 2.7.0 Authentication successful,

Or somethings like that.

I have tried this config

filter {
  aggregate  {
     task_id => "%{id}"
     code => "
       map['mail_data'] ||= event.get('mail.data')
       map['mail_context'] ||= event.get('mail.context')
     "
    push_map_as_event_on_timeout => true
    timeout_task_id_field => "id"
    timeout => 30
    timeout_tags => ['_aggregatetimeout']
  }
}

the mail.data field is User Name: NULL and the mail.context is 235 2.7.0 Authentication successful

Thanks for your time.

Badger · February 18, 2022, 5:29pm

When you use this the only data in the event that aggregate creates is what you added to the map. If you want additional parts of the original message in that event then you must add them to the map.

lusynda · February 23, 2022, 7:39am

Ok but is that why my config does not working like at all.

lusynda · February 23, 2022, 9:33am

The current problems for me is that i have tried the config multiple time and it is not working for me. It is not aggregated, notthing happened.

system · March 23, 2022, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.