Change a string in a field for a number

Incauto · November 20, 2019, 3:52pm

Hi, from time to time In the milliseconds field( that is for numbers ) appears the string: "disabled", what Im trying to do, is that every time the string "disabled" appears, change for it the number "0" I have tried with gsub without results....do I need a conditional? how can I do this?

filter {
        grok {
                match => {"message" => "%{DATA:server}\s%{DATA:milliseconds}"}
        }

        mutate {
            gsub => [
                     "milliseconds" , "disabled", "0"
              ]
            convert => {
                    "milliseconds" => "integer"
                }
        }

Badger · November 20, 2019, 6:01pm

What does the resulting event look like if you use

output { stdout { codec => rubydebug } }

Note that mutate does processing in a fixed order and convert comes before gsub, so you need to split that into two mutate filters.

Incauto · November 20, 2019, 6:16pm

It shows all the fields but not milliseconds, testing in grok debbuger, seems that DATA doesnt accept numbers, so the field doesnt even appears in the stdout, later I try this also without success

filter {
    grok {
            match => {"message" => "%{DATA:server}\s%{NUMBER:milisegundos}"}
    }

    if [milisegundos] == "disabled" {
            mutate {
                    replace => ["milisegundos", 0 ]
            }
    }

    mutate {

            add_field => {
                    "origen" => "alpha"
                    "horayfecha" => "%{hora} %{fecha}"
            }
            convert => {
                    "milisegundos" => "integer"
            }
    }

that trows a grok parse failure whenever it find the string "disabled"

system · December 18, 2019, 6:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.