Hi,
I have interlaced events that stream in every minute.
For example:
event 1:
task_id: "routerA-site1"
metric1: val1
metric2: val2
event 2:
task_id:"routerB-site1"
metric1: val1
metric2: val2
event3:
task_id:"routerA-site1"
metric3: val3
metric4: val4
I want to be able to aggregate event1 and event3 since they both have the same task_id. I wanted to do something similar to below but it's not producing the output I need. I don't want to map out each individual field and value manually either.
aggregate {
task_id => "%{router}-%{site}"
timeout_task_id_field => "task_id"
timeout_timestamp_field => "@timestamp"
code => "
event.to_hash.each { |k,v|
unless map[k]
map[k] = v
end
}
"
#push_previous_map_as_event => true
push_map_as_event_on_timeout => true
timeout => 60
}
Thank you.