Hello,
I am struggling with the below I multiple log line mappings and there is one specific field i would like to populate for the logline before and after, currently i am only getting it on the exact same line where the field exist, but i would like to extend it for every line:
My current mapping is:
' if "module" in [tags] {
aggregate {
task_id => "%{pid}"
code => "event.set('modulename', [event.get('module_name')])"
map_action => "create"
}
}
if "module" not in [tags] {
aggregate {
task_id => "%{pid}"
code => "event.set('modulename2', map['modulename'])"
map_action => "update"
end_of_task => true
}
} '
I am not sure what i am doing wrong, I am new to aggregate filter and in general to logstash.
Your help is appreciated very much !