After add_field, conversion from string to float unsuccessful

rj23495 · July 26, 2019, 12:03pm

filter {
grok { match => { "message" => "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{HOUR:hour}:%{MINUTE:min}:%{SECOND:sec} \[%{DATA:pool}\] %{DATA:metric} %{DATA:metricname} %{DATA:datatype} %{NUMBER:metricvalue:float} %{GREEDYDATA:unit}" } }

  mutate {
          copy => { "source" => "source_tmp" }
         }
 mutate {
    add_field => { "metric_%{metricname}" => "%{metricvalue}" }
        }
 mutate {
    convert => { "metric_%{metricname}" => "float" }
        }
  mutate {
          split => ["source_tmp", "/"]
          add_field => { "applicationID" => "%{[source_tmp][4]}" }
         }
}

Badger · July 26, 2019, 12:29pm

Correct. The convert function does not sprintf the LHS, so you cannot use field references. There are two open issues for that, here and here.

rj23495 · July 26, 2019, 1:11pm

@Badger Thanks for your prompt reply.
What should be the work around for it?..

rj23495 · July 26, 2019, 1:19pm

@magnusbaeck any work arounds for this?

Badger · July 26, 2019, 1:24pm

The workaround would be to do it in ruby. Possibly with a regexp to match the key.

rj23495 · July 26, 2019, 1:32pm

@Badger any example to refer?

Badger · July 26, 2019, 1:41pm

    ruby {
        code => '
            event.to_hash.each { |k, v|
                if k =~ /^metric_/
                    if v.to_f.to_s == v
                        event.set(k, v.to_f)
                    end
                end
            }
        '
    }

rj23495 · July 26, 2019, 1:53pm

@Badger Thanks a lot i will try this filter in my configuration.
This requires KV filter? Because we have split the fields using grok.
message format is -------
"2019-07-23 08:00:15.965 [pool-2-thread-1] metric Address_DATABASE_SEARCH_Country_in int32 7 count"

rj23495 · July 29, 2019, 6:12am

@Badger
@magnusbaeck
if i use this
input {
beats {
port => 5044
}
}

filter {
grok { match => { "message" => "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{HOUR:hour}:%{MINUTE:min}:%{SECOND:sec} \[%{DATA:pool}\] %{DATA:metric} %{DATA:metricname} %{DATA:datatype} %{NUMBER:metricvalue:float} %{GREEDYDATA:unit}" } }

  mutate {
          copy => { "source" => "source_tmp" }
         }
  mutate {
          add_field => { "message_tmp" => "metric_%{metricname} = %{metricvalue} %{unit}"}
  }
 grok { match => { "message_tmp" => "metric_%{DATA:metricname} = %{NUMBER:value:float}" } }
 # mutate {
  #  add_field => { "metric_%{metricname}" => "%{metricvalue}" }
  #      }
 #mutate {
    #convert => { "metric_%{metricname}" => "float" }
    #    }
  mutate {
          split => ["source_tmp", "/"]
          add_field => { "applicationID" => "%{[source_tmp][4]}" }
         }  
}
output {
  elasticsearch {
    hosts => ["xyz:9200"]
    index => "%{[applicationID]}-%{+YYYY.MM.dd}"
  }
}

system · August 26, 2019, 6:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to convert type for field like a.b in mutate plugin? Logstash	6	3079	July 6, 2017
Regex to integer\float Logstash	5	2282	November 4, 2022
Convert String to float failed Logstash	4	11646	July 6, 2017
Add_field is not working when trying to add interger value Logstash	2	2750	July 6, 2017
Mutate convert not working Logstash	3	2368	July 6, 2017

After add_field, conversion from string to float unsuccessful

Related topics