Grok and aggregate log information

Lebedev · April 3, 2019, 10:21am

Dear, collegues pls help me!
I have input log following format:

Exm:

1 value
1 100
1 value1
2 mean
2 text
2 something
3 SOAP
3 example_text

I need to convert output log in Real-time in the foloving view:

1 value 100 value1
2 mean text something
3 SOAP example_text

Well, i wrote grok and mutate filter in my logstash:

if "gateway_ssl" in [tags] {

mutate {
gsub => ["message","\t", " "]
add_tag => ["mutate"]
}

grok {
match => {
"message" => ["%{BACULA_DEVICE:transaction_id} ?%{GREEDYDATA:text_message}"]}

add_tag => ["grokked"]
overwrite => [ "message" ]	

} #grok

}#if_gateway

Could you help me to write aggregate filter for my task?
Thank you a lot!

Badger · April 3, 2019, 12:49pm

This would match example 3 in the aggregate documentation. Use transaction_id as the task id, and keep appending text_message to a string in the map.

Lebedev · April 4, 2019, 9:55am

Sorry, i feel that i did't finaly understand..
Check pls my future config:
As far as i understood i need to do following config:

aggregate {

task_id = %{transaction_id}
code = map['test1'] =' '; map['test1'] += event.get('text_message')
map_action = create_or_update
push_map_as_event_on_timeout = true
timeout = 120
timeout_tags = ['aggregated']
}

Badger · April 4, 2019, 11:22am

You may want to add

timeout_task_id_field => "transaction_id"

system · May 2, 2019, 11:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.