Help me with logstash config (Feature Request)

Elastic Stack Logstash
1

I am using logstash aggregate filter and I want timeout value for infinite time. How to do that?

Current config for aggregate filter given below

if [src_ip] {
        aggregate {
            task_id => "%{src_ip}"
            code => "
                if !defined?(map)
                    map = Hash.new
                end
                if event.get('user_mac')
                    map['getmac'] = event.get('user_mac')
                end
                if event.get('user')
                    map['getuser'] = event.get('user')
                end
				event.set('pppoeusermac', map['getmac']);
				event.set('pppoeuser', map['getuser'])
			"
            timeout_task_id_field => "%{src_ip}"
            aggregate_maps_path => "/home/user/logstash-8.3.2/data/aggmap/aggregate_maps"
        }
    }
2

Have you tried to set timeout = 0? I guess that :D. I do not test this option.

image
image1205×533 37 KB

3

I don't think you can make it infinite, but you can set it to a very large number, like 2147483647, which is over 68 years. Make sure you set inactivity_timeout as well.

4

I tried it initially but cpu usage and memory usage got high, so I am looking for a solution which will keep the last map value for each task id.

5

Yes, I tried with both negative value and zero but it doesn't work. It's not setting pppoeusermac and pppoeuser for each upcoming event