Multiple aggregate filter with same task_id pattern doesn't share map

Andrey_Tomilin · March 11, 2019, 9:28am

Here are events:

Id: 0, Source: a, Status: 0
Id: 1, Source: a, Status: 1
Id: 2, Source: a, Status: 0
Id: 3, Source: a, Status: 1
Id: 4, Source: a, Status: 1
Id: 5, Source: a, Status: 0
Id: 6, Source: a, Status: 1
Id: 7, Source: a, Status: 1
Id: 8, Source: a, Status: 1

The mission is to output events with status 1, only the first one in its sequence. So here I expect events with ids: 1, 3 and 6

I'm using the Aggregate filter (as didn't find anything better for this task)

if [status] == 1 {
   aggregate {
	
       task_id => "%{source}"
       code => "
       map['count'] ||= 0
       map['count'] += 1
	
       if (map['count'] > 1)
       # after everything will work, I will uncomment this line
       #	event.cancel()
       end

       event.set('count', map['count'])
       "
   }
}

if [status] == 0 {
   aggregate {
       task_id => "%{source}"
       end_of_task => true
       code => "
         map['count'] = 0
         event.set('count', map['count'])
         # after everything will work, I will uncomment this line
         #	event.cancel()
       "
   }
}

Output :

{ "id" => 0, "count" => 0, "source" => "a", "status" => 0 }
{ "id" => 1, "count" => 1, "source" => "a", "status" => 1 }
{ "id" => 2, "count" => 0, "source" => "a", "status" => 0 }
{ "id" => 3, "count" => 2, "source" => "a", "status" => 1 }
{ "id" => 4, "count" => 3, "source" => "a", "status" => 1 }
{ "id" => 5, "count" => 0, "source" => "a", "status" => 0 }
{ "id" => 6, "count" => 4, "source" => "a", "status" => 1 }
{ "id" => 7, "count" => 5, "source" => "a", "status" => 1 }
{ "id" => 8, "count" => 6, "source" => "a", "status" => 1 }

As you see the count field isn't reset on status=0 event.
Note that I run Logstash with "-w 1" to make sure there is single worker here

Badger · March 11, 2019, 1:33pm

The problem is that the pipeline process events in batches, so multiple events go through the first filter before anything goes through the second filter.

Try '--pipeline.batch.size 1'. It will fix your problem, but it is less efficient.

Andrey_Tomilin · March 11, 2019, 1:41pm

Thanks, I see this indeed working now.
Does this mean that the "--pipeline.batch.size 1" is absolutely required by the aggregate filter? I didn't see it in any documentations

Badger · March 11, 2019, 1:58pm

No, it is not normally required, it is a peculiarity of the particular code blocks you have. I have never seen an aggregate configuration before that required something in the second filter code block to be visible to the first filter code block.

Andrey_Tomilin · March 11, 2019, 2:02pm

This is my first aggregation filter. This article very helped me to get how things work. Suspect this setting should be there as well.
Anyway, thanks you help

P.S.
Found another way to make things work (with single aggregate filter):

aggregate {
    task_id => "%{source}"
    code => "
    map['count'] ||= 0
    map['count'] += 1

    if (event.get('status') == 0)
        map.clear()
        event.cancel()
    else
        if (map['count'] > 1)
            event.cancel()
        end
    end

    event.set('count', map['count'])
    "
}

system · April 8, 2019, 2:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How does aggregate with different task_id in one filter part works Logstash	2	327	August 24, 2020
Using aggregate filter to merge different events Logstash	4	385	September 29, 2019
Logstash aggregation filter Logstash	7	285	September 9, 2020
Aggregate filter - stop after N events Logstash	1	439	January 4, 2020
Aggregate filter: How to delete the event when no matching task_id found within the timeout? Logstash	4	577	July 8, 2021

Multiple aggregate filter with same task_id pattern doesn't share map

Related topics