Logstash Aggregation Plugin

Elk_huh · June 6, 2019, 4:50pm

We are getting multiple events come in ( because of multiple botnet calls, but it is the same SRC and DST) How do you use the aggregation plugin to combine it all into 1 . Timestamps are slightly different

	Time 	src      	dhost        	dst        	requestMethod        	request        	act        	outcome        	reason        	riskScore        	requestContext      
	June 2nd 2019, 1.2.3.4		62.212.33.98	62.212.33.98	CONNECT	62.212.33.98/	Blocked	403	Reputation block outbound request: botnet site	0	None
	June 2nd 2019, 1.2.3.4		62.212.33.98	62.212.33.98	CONNECT	62.212.33.98/	Blocked	403	Reputation block outbound request: botnet site	0	None
	June 2nd 2019, 1.2.3.4	   62.212.33.98	    62.212.33.98	CONNECT	62.212.33.98/	Blocked	403	Reputation block outbound request: botnet site	0	None

Badger · June 6, 2019, 5:28pm

What do you want to aggregate?

Elk_huh · June 6, 2019, 6:07pm

"src" and "dst" and "request"

Badger · June 6, 2019, 6:57pm

Those three fields have the same values in those three messages. It does not make any sense to aggregate them.

Elk_huh · June 6, 2019, 6:58pm

Thats the problem, We get multiple events from zscaler for the same thing that happened . Thats why im trying to condense it into 1 document

Badger · June 6, 2019, 7:04pm

It sounds like you want to do de-duplication. If you are using an elasticsearch output then this blog has some ideas.

system · July 4, 2019, 7:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash in Docker - Combine 2 events into 1 event Logstash	1	651	November 14, 2017
Combining two events in one Logstash	9	9690	July 6, 2017
Combine Log Lines That Share A Unique ID Logstash	4	10108	July 6, 2017
How can i aggregate this Logstash	1	456	June 22, 2017
Aggregating json events Logstash	2	363	November 19, 2018

Logstash Aggregation Plugin

Related topics