juuuhuuu
October 29, 2020, 4:42pm
1
Hi Community,
SELECT COUNT(CustomerID), Country
Could you please help me?
=> in the logname are countries for example like: user 123 in Germany logelevel: Info /path...
filter {
dissect {mapping => {"message" => "[%{logdate}] %{application}.%{loglevel}: %{logname} /%{path}"}}
if "info" in [loglevel] {
aggregate {
task_id => "%{logname}"
code => "
map['logname'] ||= 0; map['logname'] += 1;
map['logname'] ||= event.get('logname')
map['loglevel'] ||= []
map['loglevel'] << {'loglevel' => event.get('loglevel')}
event.cancel()
"
push_previous_map_as_event => true
timeout => 3
}
}else{
dissect { mapping => { "message" => "[%{logdate}] %{exception}.%{errorlogname}.%{errorCode}.%{loglevel}: %{errorMessage} /%{path}" } }
}
Why don't do it in Elasticsearch?
Badger
October 30, 2020, 5:08pm
3
What does the data you are trying to aggregate look like?
juuuhuuu
November 2, 2020, 12:01pm
4
[2020-11-02 12:44:04] application.INFO: Today is beautiful weather /path/....
Badger
November 3, 2020, 10:47pm
7
You could try
dissect {mapping => {"message" => "[%{logdate}] %{application}.%{loglevel}: %{}"}}
if "INFO" in [loglevel] {
dissect {mapping => {"message" => "[%{logdate}] %{application}.%{loglevel}: %{logname} /%{path}"}}
aggregate {
task_id => "%{logname}"
code => "
map['logname'] ||= 0; map['logname'] += 1;
map['logname'] ||= event.get('logname')
map['loglevel'] ||= []
map['loglevel'] << {'loglevel' => event.get('loglevel')}
event.cancel()
"
push_previous_map_as_event => true
timeout => 3
}
}else{
dissect { mapping => { "message" => "[%{logdate}] %{application}.%{loglevel}: %{errorCode} %{errorMessage} /%{path}" } }
}
Note that the
map['logname'] ||= event.get('logname')
will never perform the assignment, because the previous line has ensured that map['logname'] is never nil.
juuuhuuu
November 3, 2020, 11:47pm
8
thank you very much, Ill try it and let you know !!
juuuhuuu
November 5, 2020, 8:15am
9
Hello,
i tried but the problem is, that the logstash is not going in to the if condition.
