Logstash aggregate filter plugin

ozmhsh · February 12, 2019, 11:56am

Hi Everyone,

I have a log file to parse as below:
INFO - ID1 - 2019/01/01
INFO - ID2
Other logs 2019/01/02
INFO - ID3 - 2019/01/03

How can I use Aggregate Filter plugin to produce below?
ID1 2019/01/01
ID2 2019/01/02
ID3 2019/01/03

Thanks

ozmhsh · February 14, 2019, 9:34am

Any idea or suggestion?

Badger · February 14, 2019, 2:05pm

You could try doing it in ruby

    if [message] =~ /^INFO/ {
        grok { match => { "message" => "INFO - %{WORD:id}" } }
    }
    ruby {
        code => '
            id = event.get("id")
            if id
                @id = id
            else
                event.set("id", @id)
            end
        '
    }
    if [message] =~ /[0-9]{4}\/[0-9]{2}\/[0-9]{2}$/ {
        grok { match => { "message" => "(?<date>[0-9]{4}\/[0-9]{2}\/[0-9]{2})$" } }
    } else {
        drop {}
    }

ozmhsh · February 14, 2019, 11:16pm

Thank you so much Badger! It works like a charm!

system · March 14, 2019, 11:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Aggregate Filter output different result each time Logstash	6	391	August 12, 2020
Logstash aggregate filter not working Logstash	2	943	January 11, 2017
Trouble with aggregate filter? Logstash	17	609	June 1, 2020
Help with Aggregate filter Logstash	4	282	March 25, 2022
GROK filter cannot be applied on aggregated events Logstash	12	2222	July 6, 2017

Logstash aggregate filter plugin

Related Topics