Grouping data by id with aggregate

sabdoul · February 21, 2018, 9:51am

Hello,

I want to group software by an id (pc name). For that I use the aggregate filter. But the grouping does not work.

Maybe I miss something (below my code):

input {
 elasticsearch {
   hosts => ["localhost:9200"]
   index => "pc-2018.02.19"
   query => '{ "query": { "query_string": { "query": "*" } },"_source": 
     ["beat.hostname","system.process.name"]}'
   docinfo => true
   docinfo_target => "@metadata"
   scroll => "5m"
   tags => "pc_software"
}
}

 filter {
    if "pc_software" in [tags] {
         aggregate {
           task_id => "%{[beat][hostname]}"
           code => "
                 map['[beat][hostname]'] = event.get('[beat][hostname]')
                 map['software'] ||= []
                 map['software'] << {'[software_name]' => event.get('[system][process][name]')}
                 #event.cancel()
           "
           push_map_as_event_on_timeout => true
           timeout => 1000
        }
       mutate {
         remove_field => ["[beat][hostname]", "[system][process][name]"]
       }
 }
}

output {
  if "pc_software" in [tags] {
     elasticsearch {
        hosts => ["localhost:9200"]
        index => "pc_logiciel-%{+YYYY.MM.dd}"
  }
 }
}

Thank you in advance for your help!

system · March 21, 2018, 9:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.