I'm using Cribl Stream version 4.2.2 and don't understand how to use the Aggregate function to group data by a unique key.
I get the below data sets streamed into Cribl:
{
"fields": {
"a_node": "device1",
"carrier_transitions": 1,
"description": "Device description",
"out_bps": 0,
"out_broadcast_pkts": 123,
"out_multicast_pkts": 222,
"out_octets": 333,
"out_pkts": 111
},
"name": "interfaces",
"tags": {
"device": "device1.mgt.net",
"interface_name": "et-2/3/3",
},
"timestamp": 1710777509
}
{
"fields": {
"in_bps": 0,
"in_broadcast_pkts": 36,
"in_multicast_pkts": 123,
"in_octets": 12,
"in_pkts": 123,
"in_unicast_pkts": 122
},
"name": "interfaces",
"tags": {
"device": "device1.mgt.net",
"interface_name": "et-2/3/3",
},
"timestamp": 1710777509
}
I want to aggregate them based on device and inteface_name so that I can get a resulting data set that looks like this:
{
"fields": {
"a_node": "device1",
"carrier_transitions": 1,
"description": "Device description",
"out_bps": 0,
"out_broadcast_pkts": 123,
"out_multicast_pkts": 222,
"out_octets": 333,
"out_pkts": 111,
"in_bps": 0,
"in_broadcast_pkts": 36,
"in_multicast_pkts": 123,
"in_octets": 12,
"in_pkts": 123,
"in_unicast_pkts": 122
},
"name": "interfaces",
"tags": {
"device": "device1.mgt.net",
"interface_name": "et-2/3/3",
},
"timestamp": 1710777509
}