Logstash/grok to match only first occurrence and stop parsing repeatedly for same values

Badger · May 27, 2021, 7:17pm

If that is really what you want (one document for each value of temperature) then use the temperature as the document_id (assuming you are sending data to elasticsearch). If you are not using elasticsearch you could do it in a ruby filter using something like

ruby {
    init => '@seenValues = {}'
    code => '
        value = event.get("someField")
        if @seenValues.include? (value)
            event.cancel
        end
        @seenValues[value] = 1
    '
}

If you only want events where that field changes then it can also be done using ruby. Something like

ruby {
    init => '@lastValue = ""'
    code => '
        value = event.get("someField")
        if value == @lastValue
            event.cancel
        end
        @lastValue = value
    '
}

In either case you will need pipeline.workers set to 1 and pipeline.ordered set to auto (the default in v7.x).

Topic		Replies	Views
Stop proccesing events/lines after first grok match Logstash	11	2772	February 9, 2020
Logstash read previous events fields from elasticsearch in case of high events rate Logstash	4	559	February 14, 2021
Save a value to variable Logstash	5	1418	July 6, 2017
Logstash - Parse formatted message with Ruby Code Logstash	5	1297	January 18, 2020
Duplicated data in index Logstash	3	163	November 16, 2022

Logstash/grok to match only first occurrence and stop parsing repeatedly for same values

Related Topics