Compare two fields in logstash

niraj_kumar · August 8, 2016, 5:01pm

Guys,

Is it possible to compare two fields in logstash and create a new field out of it. I have a AWS S3 logs where the bytes downloaded is sometimes not equal to the actual file downloaded. So what i am trying to find out is the successful downloads based on comparing two fields.

Any help would be great.

--
Niraj

niraj_kumar · August 9, 2016, 10:57pm

Okay I got this working today. This is the ruby filter used to complete the task.

filter {
    if [type] == "s3-access-log" {
        grok {
            match => { "message" => "%{S3_ACCESS_LOG}" }
        }
        ruby {
            code => "event['successfuldownload'] = event['bytes'] == event['object_size']"
          }
        date {
            locale => "en"
            match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
        }
    }
}

magnusbaeck · August 10, 2016, 6:04am

You could also use a Logstash conditional that runs one of two mutate filters that adds the successfuldownload field.

niraj_kumar · August 10, 2016, 6:18am

Can you give me a example how? just curious

magnusbaeck · August 10, 2016, 6:33am

if [bytes] == [object_size] {
  mutate {
    add_field => {
      "successfuldownload" => true
    }
  }
} else {
  ...
}

Topic		Replies	Views
Logstash - comparison 2 fields Logstash	3	593	January 11, 2022
Filter if condition in Logstash Logstash	8	19401	July 24, 2019
Compare two fields with different documents Logstash	6	649	September 2, 2022
Issue with a conditional statement Logstash	12	569	March 4, 2022
Logstash: Comparison of two variables Logstash	5	168	March 29, 2024

Compare two fields in logstash

Related Topics