Logstash Aggregate plugin don´t aggregate

gleberrl · December 5, 2017, 12:12pm

I have this logs and need aggregate to selected fields:

I don´t have error log, but I not see aggregated log´s

My logstash aggregate config:

            if [type] == "Logs-Clientes" {
                    aggregate {
                            task_id => "%{user}%{src_address}%{src_port}%{dst_address}%{dst_port}"
                            code => "map['c_bytes'] ||= 0 ; map['c_bytes'] += event.get('bytes')"
                            timeout => 5
                            timeout_tags => ['_aggregatetimeout']
                            timeout_code => "event.set('bytes', map['c_bytes'])"
                    }
            }
           if "_aggregatetimeout" not in [tags] {
                   drop {}
           }

Thank´s

gleberrl · December 11, 2017, 3:11pm

Hi,

when I put this function, my problem it´s resolved!

            if [type] == "Logs-Clientes" {
                    aggregate {
                            task_id => "%{user}_%{src_address}_%{src_port}_%{dst_address}_%{dst_port}"
                            code => "map['sum_bytes'] ||= 0 ;
                                    map['sum_bytes'] += event.get('lenght') ;
                                    map['my_count'] ||= 0 ;
                                    map['my_count'] += 1 ;
                                    if map['my_count'] == 40
                                            event.set('bytes', (map['sum_bytes']))
                                            event.set('Aggregation', true)
                                            map['sum_bytes'] = 0
                                            map['my_count'] = 0
                                    end
                            "
                    }
                    if [Aggregation] {
                            aggregate {
                                    task_id => "%{user}_%{src_address}_%{src_port}_%{dst_address}_%{dst_port}"
                                    code => ""
                                    end_of_task => "true"
                            }
                    }
                    if (![Aggregation]) {
                            drop {}
                    }

                    mutate {
                            remove_field => [ "lenght", "Aggregation" ]
                    }

            }

Thanks

gleberrl · December 11, 2017, 3:12pm

Solved!

system · January 8, 2018, 3:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.