Grok and aggregate log information

Lebedev · April 3, 2019, 10:21am

Dear, collegues pls help me!
I have input log following format:

Exm:

1 value
1 100
1 value1
2 mean
2 text
2 something
3 SOAP
3 example_text

I need to convert output log in Real-time in the foloving view:

1 value 100 value1
2 mean text something
3 SOAP example_text

Well, i wrote grok and mutate filter in my logstash:

if "gateway_ssl" in [tags] {

mutate {
gsub => ["message","\t", " "]
add_tag => ["mutate"]
}

grok {
match => {
"message" => ["%{BACULA_DEVICE:transaction_id} ?%{GREEDYDATA:text_message}"]}

add_tag => ["grokked"]
overwrite => [ "message" ]	

} #grok

}#if_gateway

Could you help me to write aggregate filter for my task?
Thank you a lot!

Badger · April 3, 2019, 12:49pm

This would match example 3 in the aggregate documentation. Use transaction_id as the task id, and keep appending text_message to a string in the map.

Lebedev · April 4, 2019, 9:55am

Sorry, i feel that i did't finaly understand..
Check pls my future config:
As far as i understood i need to do following config:

aggregate {

task_id = %{transaction_id}
code = map['test1'] =' '; map['test1'] += event.get('text_message')
map_action = create_or_update
push_map_as_event_on_timeout = true
timeout = 120
timeout_tags = ['aggregated']
}

Badger · April 4, 2019, 11:22am

You may want to add

timeout_task_id_field => "transaction_id"

Topic		Replies	Views
Help with Aggregate filter Logstash	4	314	March 25, 2022
Logstash aggregate problem Logstash	6	367	June 9, 2021
Logstash aggregate filter plugin Logstash	4	398	March 14, 2019
Having problem with Logstash filter aggregate example Logstash	2	1103	July 6, 2017
Correlate log using logstash aggregate plugin Logstash	4	596	March 23, 2022

Grok and aggregate log information

Related topics