Push_map_as_event_on_timeout with interlaced events

mohsin106 · October 5, 2020, 3:23pm

Hi,

I have interlaced events that stream in every minute.

For example:

event 1:
  task_id: "routerA-site1"
    metric1: val1
    metric2: val2

event 2: 
  task_id:"routerB-site1"
    metric1: val1
    metric2: val2

event3:
  task_id:"routerA-site1"
    metric3: val3
    metric4: val4

I want to be able to aggregate event1 and event3 since they both have the same task_id. I wanted to do something similar to below but it's not producing the output I need. I don't want to map out each individual field and value manually either.

aggregate {
            task_id => "%{router}-%{site}"
            timeout_task_id_field => "task_id"
            timeout_timestamp_field => "@timestamp"
            code => "
                event.to_hash.each { |k,v|
                unless map[k]
                    map[k] = v
                end
            }
            "
            #push_previous_map_as_event => true
            push_map_as_event_on_timeout => true
            timeout => 60
        }

Thank you.

system · November 2, 2020, 3:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ruby code to push whole map to event upon aggregate end_of_task Logstash	3	696	May 13, 2020
Aggregate Plugin push_previous_map_as_event Logstash	5	387	November 13, 2019
Aggregate plugin + event.get('@timestamp') Logstash	5	1883	January 10, 2018
Aggregation creating event on timeout, but not pushed to ES Logstash	1	401	October 10, 2017
Aggregate filter push map Logstash	2	401	August 16, 2018

Push_map_as_event_on_timeout with interlaced events

Related topics