Updated README.md

whyscream · whyscream · Jul 2, 2020 · Jun 25, 2020 · Jun 26, 2020 · Jul 2, 2020
commit 8468e4a81556ef838ca2af6522b1e9aa78a4d210
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ Usage
 
 - Install logstash
 - Add `50-filter-postfix.conf` to `/etc/logstash/conf.d` or `pipeline` dir for dockerized Logstash
-- Add `51-filter-postfix-aggregate.conf` to `/etc/logstash/conf.d` or `pipeline` dir for dockerized Logstash
+- Add `51-filter-postfix-aggregate.conf` to `/etc/logstash/conf.d` or `pipeline` dir for dockerized Logstash (optional)
 - Make dir `/etc/logstash/patterns.d`
 - Add `postfix.grok` to `/etc/logstash/patterns.d`
 - Restart logstash
@@ -20,6 +20,15 @@ The included Logstash config file requires two input fields to exist in input ev
 
 This event format is supported by the Logstash `syslog` input plugin out of the box, but several other plugins produce input that can be adapted fairly easy to produce these fields too. See [ALTERNATIVE INPUTS](ALTERNATIVE-INPUTS.md) for details.
 
+Aggregation filter
+-----
+
+Aggregation filter is used to combine fields from different log lines. For example:
+
+![Alt text](aggregation_example_pic.jpg?raw=true)
+
+In this example filter take 'postfix_from' from postfix/qmgr log line and put to postfix/smtp.
+
 Tests
 -----
 

diff --git a/aggregation_example_pic.jpg b/aggregation_example_pic.jpg