Push_previous_map_as_event into fields

mohsin106 · June 30, 2020, 1:10pm

Hi,

I'm trying to use push_previous_map_as_event to aggregate and save everything as key/value fields in a document.

My data looks like this:

device: router1
property: mem_prop1 ( there are twelve properties per component-name for a device)
component-name: FPC1:CPU1
value: 1
sequence: 1000 (this appears to be unique per device and component-name)

device: router2
property: mem_prop2
component-name: FPC2:CPU2
value: 2
sequence: 2000

This is my aggregate filter which is storing the property-name and value inside an array:

     if [component-name] and [property-name] and [property-value] {
            aggregate {
                task_id => "%{device}-%{sequence}-%{component-name}"
                timeout_task_id_field => "task_id"
                timeout_timestamp_field => "@timestamp"
                code => "
                    map['sequence'] ||= event.get('sequence')
                    map['device'] ||= event.get('device')
                    map['component-name'] ||= event.get('component-name')
                    map['properties'] ||= []
                    map['properties'] << {event.get('property-name') => event.get('property-value')}
                "
                push_map_as_event_on_timeout => true
                push_previous_map_as_event => true
                timeout => 60
            }
        }
        else {
            drop {}
        }

My output looks like this:

    "properties": [
          {
            "mem-util-packet-dma-utilization": 9
          },
          {
            "mem-util-kernel-flow-table-allocations-failed": 0
          },
          {
            "mem-util-kernel-toe-pkt-transfer-allocations-failed": 0
          },
          {
            "mem-util-kernel-cos-allocations-failed": 0
          },
          {
            "mem-util-kernel-filter-allocations-failed": 0
          },
          {
            "mem-util-kernel-rtt-allocations-failed": 0
          },
          {
            "mem-util-kernel-rt-allocations-failed": 0
          },
          {
            "mem-util-kernel-iff-allocations-failed": 0
          },
          {
            "mem-util-kernel-ifl-allocations-failed": 0
          },
          {
            "mem-util-kernel-size": 3221225472
          },
          {
            "mem-util-kernel-utilization": 26
          },
          {
            "mem-util-kernel-bytes-allocated": 860475368
          }
        ]

I'd like to flatten properties out so that all of the property-names and values get saved as key/value fields in the aggregated document. How do I do that?

Thank you.

Badger · June 30, 2020, 4:13pm

Replace that with

map['properties'] ||= {}
map['properties'][event.get('property-name')] = event.get('property-value')

or even

map[event.get('property-name')] = event.get('property-value')

BTW are you sure you want both of these?...

            push_map_as_event_on_timeout => true
            push_previous_map_as_event => true

mohsin106 · June 30, 2020, 6:23pm

@Badger
Thank you. Your suggestion worked. As for your question, I'm now using only

push_previous_map_as_event => true

Do I need to set a timeout (timeout => 60) when using push_previous_map_as_event?

I configured my aggregate filter like this (without timeout) and it's working.

aggregate {
task_id => "%{device}-%{sequence}-%{component-name}"
timeout_task_id_field => "task_id"
timeout_timestamp_field => "@timestamp"
code => "
map['sequence'] ||= event.get('sequence')
map['device'] ||= event.get('device')
map['component-name'] ||= event.get('component-name')
map['properties'] ||= {}
map[event.get('property-name')] = event.get('property-value')
"
push_previous_map_as_event => true
}

I also have another question about the "code =>" syntax. Is that all pure Ruby code between the double quotes or is it some sort of trimmed down version of it? I haven't learned Ruby yet but are there any references that I can read up on that would show me how to utilize Ruby with Elastic Search? I know there is an Event API in ES that we can utilize to get and set events, but just needed more reading material on how we use map['...'] to dynamically create fields and assign values to them. Thank you!

Badger · June 30, 2020, 6:38pm

You do not need to set timeout if using push_previous_map_as_event

Yes, it is pure Ruby code in the code option of a ruby filter. I cannot think of a reference to suggest.

mohsin106 · June 30, 2020, 6:41pm

Got it. Thanks again for your help!

system · July 28, 2020, 6:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Push logstash aggregate map as fields in final event Logstash	4	1089	December 31, 2021
Push_previous_map_as_event if fields exist Logstash	40	2231	January 11, 2021
Logstash Aggregate copy last Event to Map Logstash	4	1424	November 4, 2020
Aggregate push_previous_map_as_event seems not work Logstash	2	1367	February 6, 2018
Aggregate Plugin push_previous_map_as_event Logstash	5	387	November 13, 2019

Push_previous_map_as_event into fields

Related topics