Hello Dmitriy, your pretag.map looks fine to my eyes. You should instead append the 'tag' keyword to your 'aggregate' directive in order to give values to the 'agent_id' field:
aggregate: src_host,dst_host,src_mac,dst_mac,src_port,dst_port,tag Let me know whether the issue get solved. Cheers, Paolo
