TechQA.

Logstash Aggregate filter plugin Not working properly

603 views Asked by At

Hi i am new to logstash and was trying the demo in their documentation here https://www.elastic.co/guide/en/logstash/current/plugins-filters-aggregate.html#plugins-filters-aggregate "example-1" i was using the same exact script and input but still got different output because of this i was expecting single entry in kibana but it shows 3 entries please help

   grok {
     match => [ "message", "%{LOGLEVEL:loglevel} - %{NOTSPACE:taskid} - %{NOTSPACE:logger} - %{WORD:label}( - %{INT:duration:int})?" ]
   }

   if [logger] == "TASK_START" {
     aggregate {
       task_id => "%{taskid}"
       code => "map['sql_duration'] = 0"
       map_action => "create"
     }
   }

   if [logger] == "SQL" {
     aggregate {
       task_id => "%{taskid}"
       code => "map['sql_duration'] += event.get('duration')"
       map_action => "update"
     }
   }

   if [logger] == "TASK_END" {
     aggregate {
       task_id => "%{taskid}"
       code => "event.set('sql_duration', map['sql_duration'])"
       map_action => "update"
       end_of_task => true
       timeout => 120
     }
   }
 }

INPUT

 INFO - 12345 - TASK_START - start
 INFO - 12345 - SQL - sqlQuery1 - 12
 INFO - 12345 - SQL - sqlQuery2 - 34
 INFO - 12345 - TASK_END - end

EXPECTED OUTPUT

{
  "message" => "INFO - 12345 - TASK_END - end message",
  "sql_duration" => 46
}

MY OUTPUT

{
          "host" => "BEN",
       "message" => "INFO - 12345 - TASK_START - start\r",
    "@timestamp" => 2021-04-27T14:17:28.151Z,
      "loglevel" => "INFO",
        "taskid" => "12345",
        "logger" => "TASK_START",
          "path" => "C:/software/Notepad++/log72.log",
          "type" => "technical1234",
         "label" => "start",
      "@version" => "1"
}
{
          "host" => "BEN",
       "message" => "INFO - 12345 - SQL - sqlQuery1 - 12\r",
    "@timestamp" => 2021-04-27T14:17:28.174Z,
          "type" => "technical1234",
         "label" => "sqlQuery1",
        "taskid" => "12345",
      "loglevel" => "INFO",
        "logger" => "SQL",
      "duration" => 12,
          "path" => "C:/software/Notepad++/log72.log",
      "@version" => "1"
}
{
          "host" => "BEN",
       "message" => "INFO - 12345 - SQL - sqlQuery2 - 34\r",
    "@timestamp" => 2021-04-27T14:17:28.175Z,
          "type" => "technical1234",
         "label" => "sqlQuery2",
        "taskid" => "12345",
      "loglevel" => "INFO",
        "logger" => "SQL",
      "duration" => 34,
          "path" => "C:/software/Notepad++/log72.log",
      "@version" => "1"
}
logstash kibana logstash-grok kibana-7 aggregate-filter
Original Q&A
0

There are 0 answers

Related Questions in LOGSTASH

Related Questions in KIBANA

Related Questions in LOGSTASH-GROK

Related Questions in KIBANA-7

Related Questions in AGGREGATE-FILTER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions