Remembering Field Values

Kryten · February 3, 2017, 2:56pm

Hi,

Does anyone have any solutions for how to store and re-use field values between events?

For example if we have a log file that contains something like:-

Counter 1
stuff....
stuff....
Counter 2
stuff...
stuff...
stuff...
Counter 3
stuff...
stuff...

and so on. I need to be able to add the counter number which is currently active to the fields I'm grokking out of the "stuff..." lines.

I believe that this is possible with the "aggregate" filter but I have never been able to get it to work, or seen an example of how it could be done. I know that there is a community plugin called memorize but I'd rather try to accomplish this with standard plugins, if possible.

Thanks!

fbaligand · February 4, 2017, 4:26pm

aggregate seems to be the right plugin for your need.
If you look at logstash "master" documentation, you should find 4 examples explaining how you can use aggregate plugin.
Have you seen it ?

Kryten · February 4, 2017, 6:20pm

@fbaligand
Thanks, yes, I have seen it. But not been able to find a way to leverage those example to solve the -seemingly simple- problem outlined in my first post. Can you?

fbaligand · February 4, 2017, 6:55pm

Like that, your need is not precise enough so that I can help you.
Can you give some documents before aggregate plugin, and the expected result after aggregate plugin ?

fbaligand · February 4, 2017, 7:16pm

After reading one more time your need, I think this kind of configuration could do the job :

if [type] == "Counter" {
  aggregate {
    task_id => "%{host}%{path}"
    code => "map['counter_id'] = event.get('counter_id')"
  }
}

if [type] != "Counter" {
  aggregate {
    task_id => "%{host}%{path}"
    code => "event.set('counter_id', map['counter_id'])"
  }
}

Kryten · February 4, 2017, 8:43pm

@fbaligand
Thank you very much for your interest. I tried to implement your code but no joy just yet.
Here is what I have; hopefully it will be obvious where I am going wrong?

The (test) log file I am reading looks like this:

cycle 1
name: jellybeans
some: chocolate
cycle 2
name: bubblegum
name: gumdrops
name: candycanes
cycle 3
name: sherbet
name: candyfloss
cycle 4
name: mintdrops
name: icecream

My conf file is this:

input {
	file {
		path => "/Users/me/Downloads/logstash-2.3.1/source.log"
		ignore_older => 0
	}
}

filter {
	
	if [message] =~ /.*cycle.*/ {
		
		grok {
			match => { "message" => ".*cycle\s(?<cycle>\d*)"}
		}
	}
	
	if [cycle] {
		aggregate {
			task_id => "%{host}%{path}"
			code => "map['cycle'] = event.get('cycle')"
		}
	} else {
		aggregate {
			task_id => "%{host}%{path}"
			code => "event.set('cycle', map['cycle'])"
		}
	}	
}

output {
	stdout {
		codec => rubydebug
	}
}

Which I think is pretty much representative of the code/behaviour you suggested. I am not differentiating messages by [type] however as all my events are coming from the same log file so I cannot see where or why I would use different types.. I was thinking that I could just trigger the aggregate events based on what the event contains (a cycle value or not).

The output I get is basically this:

Aggregate exception occurred. Error: undefined method `set' for #<LogStash::Event:0x6173639f> ; Code: event.set('cycle', map['cycle']) ; Map: {} ; EventData: {"message"=>"name: candyfloss", "@version"=>"1", "@timestamp"=>"2017-02-04T20:32:10.648Z", "path"=>"/Users/me/Downloads/logstash-2.3.1/source.log", "host"=>"MBP"} {:level=>:error}
Aggregate exception occurred. Error: undefined method `get' for #<LogStash::Event:0x13833cc8> ; Code: map['cycle'] = event.get('cycle') ; Map: {} ; EventData: {"message"=>"cycle 4", "@version"=>"1", "@timestamp"=>"2017-02-04T20:32:10.648Z", "path"=>"/Users/me/Downloads/logstash-2.3.1/source.log", "host"=>"MBP", "cycle"=>"4"} {:level=>:error}
Aggregate exception occurred. Error: undefined method `set' for #<LogStash::Event:0x35a0a565> ; Code: event.set('cycle', map['cycle']) ; Map: {} ; EventData: {"message"=>"name: mintdrops", "@version"=>"1", "@timestamp"=>"2017-02-04T20:32:10.649Z", "path"=>"/Users/me/Downloads/logstash-2.3.1/source.log", "host"=>"MBP"} {:level=>:error}
Aggregate exception occurred. Error: undefined method `set' for #<LogStash::Event:0x74778748> ; Code: event.set('cycle', map['cycle']) ; Map: {} ; EventData: {"message"=>"name: icecream", "@version"=>"1", "@timestamp"=>"2017-02-04T20:32:10.649Z", "path"=>"/Users/me/Downloads/logstash-2.3.1/source.log", "host"=>"MBP"} {:level=>:error}
{
       "message" => "cycle 1",
      "@version" => "1",
    "@timestamp" => "2017-02-04T20:32:10.645Z",
          "path" => "/Users/me/Downloads/logstash-2.3.1/source.log",
          "host" => "MBP",
         "cycle" => "1",
          "tags" => [
        [0] "_aggregateexception"
    ]
}
{
       "message" => "name: jellybeans",
      "@version" => "1",
    "@timestamp" => "2017-02-04T20:32:10.646Z",
          "path" => "/Users/me/Downloads/logstash-2.3.1/source.log",
          "host" => "MBP",
          "tags" => [
        [0] "_aggregateexception"
    ]
}
{
       "message" => "name: chocolate",
      "@version" => "1",
    "@timestamp" => "2017-02-04T20:32:10.647Z",
          "path" => "/Users/me/Downloads/logstash-2.3.1/source.log",
          "host" => "MBP",
          "tags" => [
        [0] "_aggregateexception"
    ]
}

As I am sure you are aware I am looking for the current value of cycle to be present in all events.

Really appreciate this!

fbaligand · February 4, 2017, 9:13pm

Ok, I saw in your error stack trace that you use logstash 2.3.1. The code that I provided requires logstash 2.4 or more.

With logstash 2.3.1, the right code are :
code => "map['cycle'] = event['cycle']"

And then :
code => "event['cycle'] = map['cycle']"

Kryten · February 4, 2017, 9:28pm

Brilliant. Success!
Thank you very much, this is great news... I've needed this functionality for a long time.

Thanks again

fbaligand · February 4, 2017, 9:35pm

Happy to see I solved your problem !

fbaligand · February 5, 2017, 5:02pm

If your problem is solved, could you mark my solution comment as "solution" to close the topic ?

Kryten · February 5, 2017, 5:59pm

@fbaligand

Thats odd. I did exactly that about 17 seconds after testing your solution. The topic IS tagged as having a solution in my view of this thread:

Is there somewhere else | something else I should do?

fbaligand · February 5, 2017, 6:02pm

Sorry, I should buy some glasses

Kryten · February 5, 2017, 6:18pm

No problem at all. I'm still smiling at FINALLY having a solution to this problem.
THANKS AGAIN

system · March 5, 2017, 6:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using aggregate filter to count number of events and sum field's values Logstash	29	3236	September 14, 2020
Logstash count insta Filter aggregate Logstash	1	236	November 5, 2020
Push_previous_map_as_event if fields exist Logstash	40	2227	January 11, 2021
Aggregate not working on certain events (solved) Logstash	9	723	April 11, 2019
Adding a field to a metrics event Logstash	5	108	July 3, 2024

Remembering Field Values

Related Topics