Aggregation error:

Exception: String can't be coerced into Fixnum

[2017-11-09T10:39:40,294][ERROR][logstash.filters.aggregate] Aggregate exception occurred {:error=>#<TypeError: String can't be coerced into Fixnum>, :code=>" map['processAvgTime'] ||= 0; map['processAvgTime'] += event.get('cputimeinmillisec'); map['counter'] ||= 0; map['counter'] += 1;\n if (map['counter'] == 96000)\n event.set('avgProcessTime' , (map['processAvgTime'] / map['counter']))\n event.set('Aggregation', true)\n #map['counter'] ||= 0 \n #map['processAvgTime'] ||= 0\n end\n ", :map=>{"processAvgTime"=>0}, :event_data=>{"runmode"=>"EJB", "customisation-level"=>"1", "offset"=>1692219, "inputserver"=>"cmwl01", "@metadata"=>{"beat"=>"filebeat", "ip_address"=>"127.0.0.1", "type"=>"doc"}, "eventutctime"=>"2017-09-11 03:52:52.563", "componentname"=>"CM", "source"=>"C:\\data\\XL\\cmwl01\\ABPAuditLog_20170100.log", "type"=>"beats", "errorcodeiffailure"=>"null", "tags"=>["beats_input_codec_plain_applied"], "threadid"=>"43", "apireturnstatus"=>"S", "@timestamp"=>2017-09-11T00:52:52.563Z, "apiname"=>"getValidValues", "cputimeinmillisec"=>"0.562", "@version"=>"1", "beat"=>{"hostname"=>"SHARONSA02V", "name"=>"SHARONSA02V", "version"=>"6.0.0-beta2"}, "host"=>"SHARONSA02V", "fields"=>{"index"=>"cmserver"}, "exceptiontype"=>"null", "username"=>"siti1319"}}

This is my Filter:

filter{
if [type] == "beats" {
grok {
break_on_match => true
keep_empty_captures => false
match => {
message => [
"%{NUMBER:threadid};%{TIMESTAMP_ISO8601:eventutctime};%{DATA:username};%{JAVACLASS:apiname};%{WORD:apireturnstatus};%{WORD:componentname};%{BASE10NUM:customisation-level};%{BASE10NUM:cputimeinmillisec};%{WORD:runmode};%{WORD:errorcodeiffailure}",
"%{NUMBER:threadid};%{TIMESTAMP_ISO8601:eventutctime};%{DATA:username};%{JAVACLASS:apiname};%{WORD:apireturnstatus};%{WORD:componentname};%{BASE10NUM:customisation-level};%{BASE10NUM:cputimeinmillisec};%{WORD:runmode};(%{GREEDYDATA:errorcodeiffailure})\s*%{GREEDYDATA:error_description}"
]
}
patterns_dir => "C:\DoLense\Patterns\patterns"
}
date {
match => ["eventutctime" , "yyyy-MM-dd HH:mm:ss.SSS"]
}
mutate {
remove_field => [ "message" ]
}
if [componentname] == "CM" {
#add the weblogic server field. Need to be taken from source
ruby {
# isolate the server name from the "source" field
# adding the field 'inputserver'
code => "
event.set('inputserver', event.get('source').split('\')[3])
event.set('apiname', event.get('apiname').split('.').last)
event.set('exceptiontype', 'null')
if event.get('errorcodeiffailure') != 'null'
require 'csv'
CSV.foreach('C:\DoLense\logstash\cmerrortype.csv') do |rec|
if rec[0] == event.get('errorcodeiffailure')
event.set('exceptiontype', rec[1])
end
end
end
"
}
aggregate {
task_id => "%{inputserver}%{exceptiontype}%{apiname}_{errorcodeiffailure}"
code => " map['processAvgTime'] ||= 0; map['processAvgTime'] += event.get('cputimeinmillisec'); map['counter'] ||= 0; map['counter'] += 1;
if (map['counter'] == 96000)
event.set('avgProcessTime' , (map['processAvgTime'] / map['counter']))
event.set('Aggregation', true)
#map['counter'] ||= 0
#map['processAvgTime'] ||= 0
end
"
push_map_as_event_on_timeout => true
timeout => 500
timeout_tags => ['_aggregatetimeout']
#timeout_code => "event.set('avgProcessTime' , ( event.get('processAvgTime') / event.get('counter') ) )"
timeout_code => "event.set('event_counter', event.get('counter') > 1)"
} # aggregate
} # if CM
else
{
drop {}
}
} #if
} #filter

Any idea?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.