Compare two fields in logstash

niraj_kumar · August 8, 2016, 5:01pm

Guys,

Is it possible to compare two fields in logstash and create a new field out of it. I have a AWS S3 logs where the bytes downloaded is sometimes not equal to the actual file downloaded. So what i am trying to find out is the successful downloads based on comparing two fields.

Any help would be great.

--
Niraj

niraj_kumar · August 9, 2016, 10:57pm

Okay I got this working today. This is the ruby filter used to complete the task.

filter {
    if [type] == "s3-access-log" {
        grok {
            match => { "message" => "%{S3_ACCESS_LOG}" }
        }
        ruby {
            code => "event['successfuldownload'] = event['bytes'] == event['object_size']"
          }
        date {
            locale => "en"
            match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
        }
    }
}

magnusbaeck · August 10, 2016, 6:04am

You could also use a Logstash conditional that runs one of two mutate filters that adds the successfuldownload field.

niraj_kumar · August 10, 2016, 6:18am

Can you give me a example how? just curious

magnusbaeck · August 10, 2016, 6:33am

if [bytes] == [object_size] {
  mutate {
    add_field => {
      "successfuldownload" => true
    }
  }
} else {
  ...
}