Compare float value generated from Glok Pattern

Athul_Devkar · August 17, 2021, 1:07am

Dear All,

I am trying to compare 2 float fields, which are created from Grok patterns match.

But this is crashing the pipeline. Not able to figure out what is missing here! Kindly help.

if [message] =~ "Customer Type : data" {
    grok {
        match => {"message" => AccountNumber : %{NUMBER:AcctNumber}, Title Role: %{DATA:TitleRole}, Customer Type : %{DATA:CustomerType}, Source Type : %{DATA:SourceType}, **TotalMrc : %{NUMBER:TotalMRC:float}, NMrc : %{NUMBER:NMRC:float}**,}
    }
    }
    if [TotalMRC] > [NMrc] {
	 mutate {
        add_field => {"TEST" => "YES"}
    }}

Badger · August 17, 2021, 1:14am

You need to have quotes around your grok pattern, and the numeric comparison can crash things if those fields do not exist, so you should test for that using

if [TotalMRC] and [NMrc] {
    if [TotalMRC] > [NMrc] {

Athul_Devkar · August 17, 2021, 1:56pm

Thanks for your reply.

The Quotes around Grok - I just missed that while copy pasting here.

However, added the null check as you recommended. Its not crashing now. Which is good thing. But Still don't see the field getting created, no errors in logs. Anything else I am missing?

match => {"message" => "Automation Type : %{DATA:AutomationTypeValue},ExistingTotalMrc : %{NUMBER:ExistingTotalMRC:float}, NewTotalMrc : %{NUMBER:NewTotalMRC:float}, %{GREEDYDATA:Greedymessage}"} 

if [ExistingTotalMRC] and [NewTotalMrc] {
     if [NewTotalMrc] > [ExistingTotalMRC] {
        mutate {
            add_field => {"SaleTrend" => "Upsell"}
        }
     } 
}

Badger · August 17, 2021, 2:27pm

Your grok pattern creates NewTotalMRC, not NewTotalMrc.

Athul_Devkar · August 17, 2021, 2:38pm

ahhh. My bad. It works now.

Sorry about the trouble! New to these stuffs.

Thanks again!

system · September 14, 2021, 2:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.