Help me with logstash config (Feature Request)

Md_Shariful_Islam · January 12, 2023, 7:14am

I am using logstash aggregate filter and I want timeout value for infinite time. How to do that?

Current config for aggregate filter given below

if [src_ip] {
        aggregate {
            task_id => "%{src_ip}"
            code => "
                if !defined?(map)
                    map = Hash.new
                end
                if event.get('user_mac')
                    map['getmac'] = event.get('user_mac')
                end
                if event.get('user')
                    map['getuser'] = event.get('user')
                end
				event.set('pppoeusermac', map['getmac']);
				event.set('pppoeuser', map['getuser'])
			"
            timeout_task_id_field => "%{src_ip}"
            aggregate_maps_path => "/home/user/logstash-8.3.2/data/aggmap/aggregate_maps"
        }
    }

tatdat · January 12, 2023, 1:56pm

Have you tried to set timeout = 0? I guess that :D. I do not test this option.

Badger · January 12, 2023, 5:55pm

I don't think you can make it infinite, but you can set it to a very large number, like 2147483647, which is over 68 years. Make sure you set inactivity_timeout as well.

Md_Shariful_Islam · January 15, 2023, 5:20am

I tried it initially but cpu usage and memory usage got high, so I am looking for a solution which will keep the last map value for each task id.

Md_Shariful_Islam · January 15, 2023, 5:30am

Yes, I tried with both negative value and zero but it doesn't work. It's not setting pppoeusermac and pppoeuser for each upcoming event

system · February 12, 2023, 5:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.