Logstash/grok to match only first occurrence and stop parsing repeatedly for same values

Badger · May 27, 2021, 7:17pm

If that is really what you want (one document for each value of temperature) then use the temperature as the document_id (assuming you are sending data to elasticsearch). If you are not using elasticsearch you could do it in a ruby filter using something like

ruby {
    init => '@seenValues = {}'
    code => '
        value = event.get("someField")
        if @seenValues.include? (value)
            event.cancel
        end
        @seenValues[value] = 1
    '
}

If you only want events where that field changes then it can also be done using ruby. Something like

ruby {
    init => '@lastValue = ""'
    code => '
        value = event.get("someField")
        if value == @lastValue
            event.cancel
        end
        @lastValue = value
    '
}

In either case you will need pipeline.workers set to 1 and pipeline.ordered set to auto (the default in v7.x).

Topic		Replies	Views
Stop proccesing events/lines after first grok match Logstash	11	2780	February 9, 2020
Logstash read previous events fields from elasticsearch in case of high events rate Logstash	4	560	February 14, 2021
Grok filter only uses last match, can this be changed? Logstash	1	762	December 23, 2016
Save a value to variable Logstash	5	1420	July 6, 2017
Iteration in Logstash Logstash	5	14161	July 6, 2017

Logstash/grok to match only first occurrence and stop parsing repeatedly for same values

Related topics