Logstach Aggregation filter not working. Data is not displayed in nested columns

aldol · April 18, 2019, 6:26pm

I have created the following aggregation in logstach. The data is not aggregated and is displayed next to the parent columns whereas they are supposed to be displayed in the nested columns:
Here is the mapping before running the logstach:
PUT s_c_nss
{
"mappings": {
"doc": {
"properties": {
"assigns": {
"type": "nested"
},
"others": {
"type": "nested"
}
}
}
}
}

Here is the filter in logstach:
filter {
aggregate {
task_id => "%{MyID}"
code => "
map['abc'] = event.get('abc')
map['cate'] = event.get('cate')
map['operator'] = event.get('operator')

  map['assigns_list'] ||= []
  map['assigns'] ||= []
  if (event.get('assigns_ID') != nil)
    if !( map['assigns_list'].include? event.get('assigns_ID') ) 
      map['assigns_list'] << event.get('assigns_ID')

      map['assigns'] << {
        'assigns.id' => event.get('assigns_ID'), 
        'assigns.abr' => event.get('abr'),
      }
    end
  end

  event.cancel()
"
push_previous_map_as_event => true
timeout => 5

}
mutate {
remove_field => ["assigns_list"]
}
}
--- The result shows the 'assigns.id' and 'assigns.abr' next to 'abc' and 'cate' columns and not nested under "assigns'.

aldol · April 18, 2019, 7:51pm

I just did further trouble shooting and found out my filter is not functioning.
Any help is appreciated.

Badger · April 18, 2019, 8:10pm

With that filter I get this. What don't you like about it?

{
      "cate" => "B",
   "assigns" => [
    [0] {
        "assigns.abr" => "F",
         "assigns.id" => "D"
    }
],
      "tags" => [
    [0] "_aggregatefinalflush"
],
  "operator" => "C",
       "abc" => "A"
}

aldol · April 19, 2019, 5:13pm

I don't get such a result. Can you share the complete conf file? It should be some stupid extra comma or something like this.

Badger · April 19, 2019, 5:26pm

input { generator { count => 1 message => '' } }

filter {
    mutate { add_field => { "abc" => "A" "cate" => "B" operator => "C" assigns_ID => "D" abr => "E" "MyID" => "F" } }
    aggregate {
    task_id => "%{MyID}"
    code => "
        map['abc'] = event.get('abc')
        map['cate'] = event.get('cate')
        map['operator'] = event.get('operator')

        map['assigns_list'] ||= []
        map['assigns'] ||= []
        if (event.get('assigns_ID') != nil)
            if !( map['assigns_list'].include? event.get('assigns_ID') )
                map['assigns_list'] << event.get('assigns_ID')

                map['assigns'] << {
                    'assigns.id' => event.get('assigns_ID'),
                    'assigns.abr' => event.get('abr'),
                }
            end
        end

        event.cancel()
    "
    push_previous_map_as_event => true
    timeout => 5
    }
}

output { stdout { codec => rubydebug { metadata => false } } }

gets me

{
         "abc" => "A",
    "operator" => "C",
"assigns_list" => [
    [0] "D"
],
     "assigns" => [
    [0] {
        "assigns.abr" => "E",
         "assigns.id" => "D"
    }
],
        "tags" => [
    [0] "_aggregatefinalflush"
],
        "cate" => "B",
[...]
}

aldol · April 21, 2019, 11:01pm

This helped me to troubleshoot my code and fix the issue.
I owe you a loud "Thank you!!!"

system · May 19, 2019, 11:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.