Logstash - aggregate messages - start with new line

Vincent_Chen · October 9, 2019, 11:19pm

Hi everyone,

I am trying to aggregate events related to the same transaction. The aggregate part works fine, I am able to merge all related events into the same field. But I want each event to be placed at a newline.

See my aggregate filter:

aggregate {
      task_id => "%{thread}"
      code => "map['new_msg'] << '\n'; map['new_msg'] << event.get('message'); event.set('new_msg', map['new_msg'])"
      map_action => "update"
      end_of_task => true
      timeout => 360
    }

This is what my field looks like:

message1\nmessage2\nmessage3\n

This is what I want them to be:

message1
message2
message3

Could anyone please help.

Cheers,
Vincent

Badger · October 9, 2019, 11:34pm

Can you explain what you want the event to look like as either JSON or rubydebug output?

Vincent_Chen · October 10, 2019, 12:56am

Hi @Badger
We want that to be json format. So that when searching from Kibana, we can see the message field is actually multiple line. Rather than one event after another.

Cheers,
Vincent

Badger · October 10, 2019, 12:49pm

OK, I'll take that as "no".

system · November 7, 2019, 12:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash aggregate filter not working Logstash	2	943	January 11, 2017
Aggregate - concatenate events Logstash	6	3062	May 3, 2018
Keep newline formating with multiline Logstash	4	4244	November 16, 2017
Aggregate filter (Combine Logs) Logstash	2	325	April 24, 2018
Aggregate all event messages Logstash	2	1262	March 13, 2017

Logstash - aggregate messages - start with new line

Related topics