Merge JSON events

Dan_Markhasin · March 12, 2017, 3:21pm

I'm looking for some way to merge JSON events that have the same ID field.
For example, given the following incoming events:

{"id":"5f3f1cd7-517d-4d33-b4d5-5a7f6bc7630e", "value1":"somevalue"}
{"id":"5f3f1cd7-517d-4d33-b4d5-5a7f6bc7630e", "value2":"somevalue"}

I would like to get:

{"id":"5f3f1cd7-517d-4d33-b4d5-5a7f6bc7630e", "value1":"somevalue", "value2":"somevalue"}

I tried using the aggregate filter but it keeps generating empty events. My config is below; am I missing something?

aggregate {
    task_id => "%{id}"
    code => ""
    push_map_as_event_on_timeout => true
    timeout_task_id_field => "task_id"
    timeout => 5 # 10 minutes timeout
    timeout_tags => ['_aggregatetimeout']
  }

    if "_aggregatetimeout" not in [tags] {
      drop {}
    }

system · April 9, 2017, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.