rabbit
March 31, 2017, 12:26pm
1
Hi guys,
I have a log file that have a field named "Time", this field is filled sometimes with the word "IN" and other times with numbers that correspond to the time in milliseconds.
if[ResponseTime] == "IN"
{
mutate
{
replace => ["ResponseTime",0]
}
}
and than in my grok pattern I do :
%{NUMBER:ResponseTime}
and than I configure a mutate convert as follow :
convert => {
"ResponseTime" => "integer"
}
in that way I can convert the word IN to 0 but cannot make it integer.
I have a log file that have a field named "Time"
You mean ResponseTime?
Please show you whole configuration instead of bits and pieces from here and there.
rabbit
March 31, 2017, 12:54pm
3
input {
beats {
port => "5043"
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
filter {
grok{
match => {"message" => "%{TIMESTAMP_ISO8601:Data} %{NOTSPACE:actionType} \[%{NOTSPACE:TxType}\] \- %{NUMBER:Number1} \- %{NUMBER:Number2} \- %{WORD:HTTPMethod} \- %{NOTSPACE:BrowserProvider} \(%{DATA:OSName}\) %{NOTSPACE:Gecko} %{NOTSPACE:BrowserVersion} \- %{IP:ClientIP} \- %{NOTSPACE:OrigemDoRequest} \- %{NOTSPACE:None1} \- %{IP:ClientIP1} \- %{NOTSPACE:None2} \- %{NOTSPACE:ABC} \- %{NUMBER:Number3} \- %{URIPATHPARAM:request} \- %{NOTSPACE:None3} \- %{WORD:Step} \- %{NOTSPACE:TempoDeResposta}"}
}
geoip
{
source => "ClientIP"
}
mutate{
gsub => [
"TempoDeResposta","START","0",
"Data"," ","T"
]
convert => {
"Number1"=>"integer"
"Number2"=>"integer"
"Number3"=>"integer"
"TempoDeResposta" => "integer"
}
}
}
output {
elasticsearch{
hosts => ["localhost:9200"]
}
}
I change the IF statement, Im using the gsub lib now.
system
April 28, 2017, 2:21pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.