How is collate filter supposed to work?

Elastic Stack Logstash
1

With the following config and data file, logstash emits 10 events. I was expecting 2 events with orig-events 1-5 as the message for event 1 and orig-events 6-10 as the message for event 2. Test against 1.5.4 and 2.0.0. Is this a bug or do I not understand what collate is supposed to do?

For context, I'm trying to count the number of times an interesting syslog message passes by, and instead of emitting an event for each such message, emit one event as "N instances of msg: FOO". There a better way to go about this? Thanks.

input {
  file {
    path => [ '/tmp/test.log' ]
    start_position => 'beginning'
  }
}
filter {
  collate {
    count => 5
    interval => '3s'
    periodic_flush => true
  }
}
output {
  stdout {
    codec => rubydebug { metadata => true }
  }
}

test.log:

01
02
03
04
05
06
07
08
09
10

3

Please ignore. Collate is only supposed to order events, not merge them. Doh!

4

hi,
may I say that "collate" means: sort and display?
So it will aggregate many incoming events till meet some condition(s):
count of events OR in specific time frame.
In this case after some period of time/or when collate specific number of events this filter will flush (or push) all that events to the next filter/next step?

Regarding to: "periodic_flush => true"
What does it means exactly?
"Collate" filter will flush events each time after e.g."3s" or when the number of incomming events equals to "5", right ?