Only keep the most recent line when the id is the same

Pierre2 · May 4, 2018, 1:57pm

Hello,

My logs lines can have the same ID. If it's the case I want to keep only the most recent line of them.
For exemple if I have 3 lines with these fields :

ID : 2568 | a : toto | b : tata | @timestamp : 4 may 2018 00:00:00

ID : 2568 | a : momo| b : titi | @timestamp : 4 may 2018 05:00:00

ID : 2568 | a : thyt| b : drgfr| @timestamp : 4 may 2018 16:00:00

In this example the 3 lines have the same ID so I only want the most recent of them so :

ID : 2568 | a: thyt| b: drgfr| @timestamp : 4 may 2018 16:00:00

I don't know how to proceed... Should I use the agreggate filter ? If it's the case, how ?

Thanks

ddorian43 · May 4, 2018, 1:59pm

See field collapsing https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-collapse.html

Pierre2 · May 4, 2018, 2:12pm

I want to do this in logstash and only keep the most recent lines and drop the others. I want to do this verification every x seconds. I do not that it is possible with field collapsing, am I right ?

ddorian43 · May 4, 2018, 2:25pm

Yes. Collapsing is only for querying. Looks like you want to delete, which I don't know how.

system · June 1, 2018, 2:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Get the most recent event among event where have the same ID Logstash	6	600	July 20, 2018
Combine Log Lines That Share A Unique ID Logstash	4	10013	July 6, 2017
Logstash output file Elasticsearch	6	639	July 5, 2017
Keeping duplicates Logstash	5	249	September 19, 2019
Combine fields in Elasticsearch from logs with same ID Logstash	7	1640	August 25, 2020

Only keep the most recent line when the id is the same

Related Topics