Logstash aggregate filter not working

Elastic Stack Logstash
1

Hi,
I am using logstash logstash-2.4.1. I am running the instance using -w 1 flag as recommened for aggregate plugin. I am trying to parse my log file sample below

START*******
Multi line
messsage
could be
XML
END********

my aggregate configuration is as below

filter {
if "START" in [message] {
aggregate {
task_id => "%{file}"
code => "map['fullmessage'] = '';"
map_action => "create"
}
}
else if "END" in [message] {
aggregate {
task_id => "%{file}"
code => "event['message'] = map['fullmessage'];"
map_action => "update"
add_tag => ["aggregated"]
end_of_task => true
timeout => 90
}
}
else {
aggregate {
task_id => "%{file}"
code => "map['fullmessage'] += event['message']"
map_action => "update"
}
}
if "aggregated" not in [tags] {
drop {}
}
}

This is not generating any output, here is my output

output {
stdout {codec=>rubydebug }
}

Without aggregate it is working fine but problem is that I get each line as new event whereas I would like to take all lines as one event from START to END. Any help would be much appricated. Thanks.

2

For now I have used following multiline codec configuration in my input to merge all lines before END line.

codec => multiline {
  pattern => "(\\*END\\*)|(\\* END \\*)"
  what => "previous"
  negate => true
  auto_flush_interval => 10
}

Only problem is that the line with END text is generated as seperate event during flush i.e. I get two events as follows

START*******
Multi line
messsage
could be
XML

And second is

END********

I can live with this for now :slight_smile: until someone provides a better solution.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.