We have some logs where some critical information (such as username) is logged once at the beginning of a user's session (these are web applicaiton logs) and we'd like to associate this information in a field for all the following events associated with that same session_id. Is there a way to do this in logstash? I thought this would be something that would come up more commonly but I didn't turn up anything in any searches. The idea would be to store a value into a persistent hash that could then be retrieved on subsequent events. Typically, a session_id or similar would be used and there'd have to be some mechanism to delete the values from the hash to keep it from growing without bound. The closest filter I could find is the 'elapsed' filter.
Yes, as mentioned in my original post, I've seen the elapsed filter which comes closest to what I want but note that I'm not trying to measure elapsed times. I'm trying to capture a value during the creation of a session so that I can log it with all events associated with that session later on. Picture a username which is logged at login time but all that is logged thereafter is a sessionid but I want to then include the username on all my events stored in elasticsearch to ease diagnosis of issues.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.