Compare fields in Logstash ruby filter

Gurveer_Singh · September 6, 2016, 10:48am

I trying following ruby code, but doesn't working for me. Can somebody help me where I am doing wrong ?

ruby {
code => '
require "csv"
records = CSV.foreach("/path/to/file.csv")
records.each do |rec|
if rec[0] == event["#{Hostname}"] and rec[1] == event["#{Serial_Number}"]
event["Updated_Status"] = EXCEPTION
end
end
'
}

magnusbaeck · September 6, 2016, 10:53am

What is event["#{Hostname}"] supposed to mean? If you want to obtain the current contents of the Hostname field you're looking for event["Hostname"].

Gurveer_Singh · September 6, 2016, 11:39am

I am parsing a CSV file which has field name "Hostname", so I want to use same field Hostname content in ruby filter for comparison.

ruby {
          code => '
          require "csv"
          records = CSV.foreach("/root/CIS/filter.csv")
          records.each do |rec|
            if rec[0] == event["Hostname"] and rec[1] == event["Serial_Number"]
              event["Updated_Status"] = EXCEPTION
            end
          end
          '
        }

If I use above code as you mentioned i am getting following error while executing.

Ruby exception occurred: closed stream {:level=>:error}

magnusbaeck · September 6, 2016, 11:54am

Try

CSV.foreach("/root/CIS/filter.csv") do |rec|

instead of

records = CSV.foreach("/root/CIS/filter.csv")
records.each do |rec|

Gurveer_Singh · September 6, 2016, 12:24pm

I tried this code.

> ruby {
>           code => '
>           require "csv"
>           CSV.foreach("/root/CIS/filter.csv") do |rec|
>             if rec[0] == event["Hostname"] and rec[1] == event["Serial_Number"]
>               event["Updated_Status"] = EXCEPTION
>             end
>           end
>           '
>         }

It's not stuck as previous but where condition match, logstash add following.

"tags" => [
        [0] "_rubyexception"
    ]

And shows following error too.
Ruby exception occurred: uninitialized constant LogStash::Filters::Ruby::EXCEPTION {:level=>:error}

Values which I am comparing are String.

magnusbaeck · September 6, 2016, 12:46pm

And what's that EXCEPTION in your code supposed to mean? If it's a string you need to double-quote it.

Gurveer_Singh · September 6, 2016, 1:25pm

If condition match then ruby code will add a field Updated_Status with value EXCEPTION.

if rec[0] == "event["Hostname"]" and rec[1] == "event["Serial_Number"]"
              event["Updated_Status"] = EXCEPTION
            end

If I am using double-quote, then logstash shows following error.

SyntaxError: (ruby filter code):4: syntax error, unexpected tCONSTANT
            if rec[0] == "event["Hostname"]" and rec[1] == "event["Serial_Number"]"
                                    ^

I guess there is some different way to compare string values in ruby filter.

magnusbaeck · September 6, 2016, 1:31pm

Double-quote EXCEPTION, nothing else.

event["Updated_Status"] = "EXCEPTION"

Gurveer_Singh · September 6, 2016, 1:54pm

Thanks Magnus, It works for me. Thanks alot. You solved my really big issue.

Final Code:

ruby {
          code => '
          require "csv"
          CSV.foreach("/root/CIS/filter.csv") do |rec|
            if rec[0] == event["Hostname"] and rec[1] == event["Serial_Number"]
              event["Updated_Status"] = "EXCEPTION"
            end
          end
          '
}