I am trying to deduplicate my events one the basis of timestamp and operation field. But it did not work?

Subrato1 · January 23, 2024, 8:18am

My Log event:

{
          "priority" => 13,
              "host" => "172.31.63.35",
       "consistency" => "\"ONE\"",
            "source" => "\"127.0.0.1",
              "type" => "scylladb",
          "severity" => 5,
         "logsource" => "ip-172-31-63-35.ec2.internal",
       "source_port" => "0\"",
           "program" => "scylla-audit",
         "server_ip" => "\"172.31.63.35",
          "facility" => 1,
        "table_name" => "\"demo\"",
          "@version" => "1",
         "operation" => "\"create table demo (ID int Primary key);\"",
          "username" => "\"cassandra\"",
          "category" => "\"DDL\"",
           "message" => "\"172.31.63.35:0\", \"DDL\", \"ONE\", \"demo\", \"mykeyspace\", \"create table demo (ID int Primary key);\", \"127.0.0.1:0\", \"cassandra\", \"false\"",
         "timestamp" => "2024-01-23T06:12:14.000Z",
    "severity_label" => "Notice",
             "error" => "\"false\"",
    "facility_label" => "user-level",
     "keyspace_name" => "\"mykeyspace\"",
       "server_port" => "0\"",
        "@timestamp" => 2024-01-23T06:12:14.000Z
}


{
          "priority" => 13,
              "host" => "172.31.63.35",
       "consistency" => "\"ONE\"",
            "source" => "\"127.0.0.1",
              "type" => "scylladb",
          "severity" => 5,
         "logsource" => "ip-172-31-63-35.ec2.internal",
       "source_port" => "0\"",
           "program" => "scylla-audit",
         "server_ip" => "\"172.31.63.35",
          "facility" => 1,
        "table_name" => "\"demo\"",
          "@version" => "1",
         "operation" => "\"create table demo (ID int Primary key);\"",
          "username" => "\"cassandra\"",
          "category" => "\"DDL\"",
           "message" => "\"172.31.63.35:0\", \"DDL\", \"ONE\", \"demo\", \"mykeyspace\", \"create table demo (ID int Primary key);\", \"127.0.0.1:0\", \"cassandra\", \"false\"",
         "timestamp" => "2024-01-23T06:12:14.000Z",
    "severity_label" => "Notice",
             "error" => "\"false\"",
    "facility_label" => "user-level",
     "keyspace_name" => "\"mykeyspace\"",
       "server_port" => "0\"",
        "@timestamp" => 2024-01-23T06:12:14.000Z
}

My Used Method:

aggregate {
		task_id => "%{timestamp}%{operation}"
		code => "
		  map['timestamp'] ||= event.get('timestamp')
		  map['operation'] ||= event.get('operation')
		  
		  if map['timestamp'] < event.get('timestamp')
			event.set('query_result', event.get('result'))
			map['timestamp'] = event.get('timestamp')
		  else
			event.cancel()
		  end
		"
		push_map_as_event_on_timeout => true
		timeout_task_id_field => "timestamp"
		timeout => 5
	  }

system · February 20, 2024, 8:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I Want to remove the duplicate events inside Logstash filter how could I do that? I mention the events below please have a look and suggest Logstash	7	620	January 12, 2024
Copy the value of a field into an event and paste it into another field and another event Logstash	1	796	June 27, 2017
Copying field in from one event to other in logstash Logstash	9	911	April 1, 2019
Logstash - Parsing fields with duplicate names Logstash	6	232	November 28, 2023
How we can remove deduplication event in logstash Elasticsearch	7	610	September 1, 2023

I am trying to deduplicate my events one the basis of timestamp and operation field. But it did not work?

Related topics