Axway-API-Management-Plus
diff --git a/‎.vscode/settings.json‎
Lines changed: 0 additions & 3 deletions b/‎.vscode/settings.json‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎configs/logstash.conf‎
Lines changed: 23 additions & 5 deletions b/‎configs/logstash.conf‎
Lines changed: 23 additions & 5 deletions
@@ -8,19 +8,39 @@ input {
 }
 
 filter {
+  # The logtype has been set by Filebeat to distinct between OpenLog and TraceLog
   if ([fields][logtype] == "openlog") {
+    # Parse the received payload into a JSON-Object
     json {
        source => "[message]"
        target => "[message]"
     }
-
+    # Use the given timestamp from OpenLog for the logstash timestamp send to ElasticSearch
     date {
        match => [ "timestamp", "UNIX_MS" ]
        target => "timestampOriginal"
     }
-
+    # OpenLog contains multiple events for one transaction
+    # Events are received for the following categories
+    # - circuitPath         - Contains details of the circuit paths executed during a transaction
+    # - transactionSummary  - Contains the high-level summary details of a transaction
+    # - transactionElement  - Contains detailed information for an indvidual element (leg) of a transaction
+    # - trace               - Contains a single trace message generated by an API Gateway process
+    # In this aggregation both are joined together into one document before it is send to ElasticSearch
+    # https://docs.axway.com/bundle/APIGateway_762_AdministratorGuide_allOS_en_HTML5/page/Content/AdminGuideTopics/admin_open_logging.htm
+    # IT IS IMPORTANT, that 
     aggregate {
+        # Map different events based on the correlationId
         task_id => "%{correlationId}"
+        # Related events are expected to be received with a delay of 10 seconds
+        timeout => 10
+        # On timeout (after 10 seconds) send the received event anyway.
+        push_map_as_event_on_timeout => true
+        # The following code is basically 
+        # - Handles all types besides trace
+        # - Takes over the common information such as correlationId, timestampOriginal, ...
+        # - Initializes the transactionElements
+        # - takes over individual fields from the event into the aggregated map
         code => "
             map['correlationId'] ||= event.get('correlationId')
             map['timestampOriginal'] ||= event.get('timestampOriginal')
@@ -51,10 +71,8 @@ filter {
 
             event.cancel()
        "
-       push_map_as_event_on_timeout => true
-       timeout => 5
     }
-
+    # Indicate in the outgoing event this is an openlog event
     mutate {
       add_tag => [ "openlog" ]
     }