Push_previous_map_as_event if fields exist

Badger · September 30, 2020, 9:26pm

input { generator { count => 1 lines => [ '{ "task": 1, "in-mb": 10 }', '{ "task": 1, "cpu": 0.1}', '{ "task": 2, "in-mb": 11 }' ] } }
filter {
    json { source => "message" remove_field => [ "message" ] }
    aggregate {
        task_id => "%{task}"
        timeout_task_id_field => "task_id"
        timeout_timestamp_field => "@timestamp"
        code => '
            event.to_hash.each { |k,v|
                unless map[k]
                    map[k] = v
                end
            }
        '
        push_previous_map_as_event => true
    }
}
output  { stdout { codec => rubydebug { metadata => false } } }

will produce these two aggregated events

{
      "task" => 1,
       "cpu" => 0.1,
   "task_id" => "1",
  "sequence" => 0,
     "in-mb" => 10,
  "@version" => "1",
      "host" => "dot.dot",
"@timestamp" => 2020-09-30T21:24:07.164Z
}
{
      "task" => 2,
   "task_id" => "2",
  "sequence" => 0,
     "in-mb" => 11,
      "tags" => [
    [0] "_aggregatefinalflush"
],
  "@version" => "1",
      "host" => "dot.dot",
"@timestamp" => 2020-09-30T21:24:07.251Z
}

Topic		Replies	Views
Push logstash aggregate map as fields in final event Logstash	4	1089	December 31, 2021
Aggregate push_previous_map_as_event seems not work Logstash	2	1367	February 6, 2018
Logstash Aggregate copy last Event to Map Logstash	4	1424	November 4, 2020
Push_previous_map_as_event into fields Logstash	5	535	July 28, 2020
How to compare for values in previous records Logstash	1	804	July 26, 2017

Push_previous_map_as_event if fields exist

Related topics