Change a log value

Hi guys,

I have a log file that have a field named "Time", this field is filled sometimes with the word "IN" and other times with numbers that correspond to the time in milliseconds.
I find a way to convert the word to 0 using :

if[ResponseTime] == "IN"
    {
      mutate
            {
              replace => ["ResponseTime",0]
            }
    }

and than in my grok pattern I do :

%{NUMBER:ResponseTime}

and than I configure a mutate convert as follow :

convert => {
		"ResponseTime" => "integer"
	  }

in that way I can convert the word IN to 0 but cannot make it integer.
Help please.

I have a log file that have a field named "Time"

You mean ResponseTime?

Please show you whole configuration instead of bits and pieces from here and there.

input {
    beats {
        port => "5043"
    }
}
# The filter part of this file is commented out to indicate that it is
# optional.
 filter {	
 grok{
	 match => {"message" => "%{TIMESTAMP_ISO8601:Data} %{NOTSPACE:actionType} \[%{NOTSPACE:TxType}\] \- %{NUMBER:Number1} \- %{NUMBER:Number2} \- %{WORD:HTTPMethod} \- %{NOTSPACE:BrowserProvider} \(%{DATA:OSName}\) %{NOTSPACE:Gecko} %{NOTSPACE:BrowserVersion} \- %{IP:ClientIP} \- %{NOTSPACE:OrigemDoRequest} \- %{NOTSPACE:None1} \- %{IP:ClientIP1} \- %{NOTSPACE:None2} \- %{NOTSPACE:ABC} \- %{NUMBER:Number3} \- %{URIPATHPARAM:request} \- %{NOTSPACE:None3} \- %{WORD:Step} \- %{NOTSPACE:TempoDeResposta}"}	
     }
 geoip
     {
	source => "ClientIP"
     }
 mutate{
	gsub => [
		 "TempoDeResposta","START","0",
		  "Data"," ","T"
		]	

	convert => {
			"Number1"=>"integer"
			"Number2"=>"integer"
			"Number3"=>"integer"
			"TempoDeResposta" => "integer"
		  }
        }
 }
output {
    elasticsearch{
	hosts => ["localhost:9200"]
	}
}

I change the IF statement, Im using the gsub lib now.
The field TempoDeResposta is the responseTime that I was asking about.

Any help guys?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.