Logstash Filter: aggregate - auto save on timeout

2019-09-07 10:51发布

I have a Lambda function in AWS which reports logs to an ELK instance. Each invocation of the lambda function generates a unique invocation_id that is sent with every log event, so the events from a single invocation can be identified in ELK. At the end of the operation, I send a "Done" event.

A Lambda function can fail, or timeout, and then the "Done" event is not sent.

I want to use the logstash aggregate filter to identify the failed invocations. Meaning - each invocation_id will be a task_id in the aggregation map, and the "Done" event will be the end_of_task.

And I need to tell it "on timeout (there was no done event received after X time) save the aggregated event with status=failed".

Is that possible with this filter? If so, what is the syntax? It's not clear from the docs..

标签： logstash aws-lambda elastic-stack

1条回答

Anthone

2楼-- · 2019-09-07 11:12

Logstash aggregate filter supports timeout event generation since version 2.3.0. Here is how to achieve what you want using this feature:

if [action] == "BEGIN" {
  aggregate {
    task_id => "%{id}"
    code => "map['bytes'] = 0"
    map_action => "create"
  }
} elseif [action] == "DONE" {
  aggregate {
    task_id => "%{id}"
    code => "event['bytes'] += map['bytes']"
    timeout_code => "event.tag('failed')"
    map_action => "update"
    end_of_task => true
    timeout => 10
    push_map_as_event_on_timeout => true
} else {
    aggregate {
    task_id => "%{id}"
    code => "map['bytes'] += event['bytes']"
    map_action => "update"
    add_tag => [ "drop" ]
}

0人赞添加讨论(0) 举报

Logstash Filter: aggregate - auto save on timeout

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间