Logstash/grok to match only first occurrence and stop parsing repeatedly for same values

Badger · May 27, 2021, 7:17pm

If that is really what you want (one document for each value of temperature) then use the temperature as the document_id (assuming you are sending data to elasticsearch). If you are not using elasticsearch you could do it in a ruby filter using something like

ruby {
    init => '@seenValues = {}'
    code => '
        value = event.get("someField")
        if @seenValues.include? (value)
            event.cancel
        end
        @seenValues[value] = 1
    '
}

If you only want events where that field changes then it can also be done using ruby. Something like

ruby {
    init => '@lastValue = ""'
    code => '
        value = event.get("someField")
        if value == @lastValue
            event.cancel
        end
        @lastValue = value
    '
}

In either case you will need pipeline.workers set to 1 and pipeline.ordered set to auto (the default in v7.x).

Topic		Replies	Views
Logstash issue grok Logstash	12	997	July 6, 2017
Remove duplicates in logstash logs Logstash	4	4230	June 29, 2018
How do I match a newline in grok/logstash Logstash	13	16747	July 6, 2017
Strang things happened when logstash grok the log message Logstash	7	1115	January 18, 2017
How to manage multiline events based on a random field Logstash	24	5684	July 6, 2017

Logstash/grok to match only first occurrence and stop parsing repeatedly for same values

Related topics