Reputation: 1
How to aggregate same events in logstash into one new event
Lets say I get 10 login failures in about 60 seconds and I don't want to see all 10 events but only one that say there was 10 failed login attempts.
How (if it is possible) can I aggregate number of same events in logstash into one new event?
Upvotes: 0
Views: 3108
Answers (1)
Reputation: 2118
Use the metrics filter.
It will allow you to flush every XX seconds (configurable) a metric event that can consists of various valuable metrics (e.g: percentiles of duration, rates, and count). You can use the filter and specify that you want an event to be flushed every 60 seconds, with the count of number of failed login attempts. The event will be flushed regardless if the count is higher or lower than 10, but you can query elastic search, whether manually or with Kibana, for only metric events where count is higher than 10.
Upvotes: 3
Related Questions
- Logstash [aggregate filter] to pass data between events
- aggregate logstash filter with "multiple pipelines"
- Logstash dynamically split events
- Aggregation in Logstash-ElasticSearch
- Logstash Aggregate filter, add information to next lines
- ELK: Merge multiple events into one
- Combining log entries with logstash
- logstash - splitting an event into two, based on an included array
- LogStash Filter - Aggregate duplicated events and merge it
- Split a log entry in two events with logstash-grok, clone and mutate