I'm trying to use the Logstash aggregate filter on Postfix logs using a filter taken from https://github.com/topmedia/logstash-postfix/blob/master/etc/logstash/conf.d/51-filter-postfix-aggregate.conf.
I modified the filter to use the new event.get() function, but I cannot adapt the event.append() function because I don't find any reference on the Logstash 6 documentation.
I'm getting the following error:
[2018-10-10T21:24:27,243][ERROR][logstash.filters.aggregate] Aggregate exception occurred {:error=>#<TypeError: wrong argument type Hash (expected LogStash::Event)>, :code=>"event.append(map)", :map=>{"..."}
This is the filter I'm trying to use:
filter {
date {
match => [ "timestamp", "MMMM dd HH:mm:ss", "MMMM d HH:mm:ss"]
}
if ![postfix_queueid] {
drop {}
} else if [syslog_program] == "postfix/qmgr" and [postfix_from] {
aggregate {
task_id => "%{postfix_queueid}"
code => "
map['postfix_from'] = event.get('postfix_from')
map['postfix_size'] = event.get('postfix_size')
map['postfix_nrcpt'] = event.get('postfix_nrcpt')
"
}
} else if [syslog_program] == "postfix/smtpd" {
aggregate {
task_id => "%{postfix_queueid}"
code => "
map['postfix_client_hostname'] = event.get('postfix_client_hostname')
map['postfix_client_ip'] = event.get('postfix_client_ip')
"
}
} else if [syslog_program] == "postfix/cleanup" {
aggregate {
task_id => "%{postfix_queueid}"
code => "
map['postfix_message-id'] = event.get('postfix_message-id')
"
}
} else if [syslog_program] == "postfix/smtp" {
aggregate {
task_id => "%{postfix_queueid}"
code => "event.append(map)"
}
}
}
Thanks!