@Badger
Thank you. Your suggestion worked. As for your question, I'm now using only
push_previous_map_as_event => true
Do I need to set a timeout (timeout => 60) when using push_previous_map_as_event?
I configured my aggregate filter like this (without timeout) and it's working.
aggregate {
task_id => "%{device}-%{sequence}-%{component-name}"
timeout_task_id_field => "task_id"
timeout_timestamp_field => "@timestamp"
code => "
map['sequence'] ||= event.get('sequence')
map['device'] ||= event.get('device')
map['component-name'] ||= event.get('component-name')
map['properties'] ||= {}
map[event.get('property-name')] = event.get('property-value')
"
push_previous_map_as_event => true
}
I also have another question about the "code =>" syntax. Is that all pure Ruby code between the double quotes or is it some sort of trimmed down version of it? I haven't learned Ruby yet but are there any references that I can read up on that would show me how to utilize Ruby with Elastic Search? I know there is an Event API in ES that we can utilize to get and set events, but just needed more reading material on how we use map['...'] to dynamically create fields and assign values to them. Thank you!