Correct way to drop older events?

jonrust · May 8, 2018, 5:09pm

I'd like to drop older events at logstash parsing time. Going with 100 days as my cutoff, I tried and failed to do this with the ruby module:

 ruby {
    code => "event.cancel if event.get(@timestamp) < (Time.now - (86400*100))"
 }

Is there a better way to do it? If not, what did i do wrong in the ruby code?

The error i see from LS is:

[2018-05-08T13:10:58,506][ERROR][logstash.filters.ruby ] Ruby exception occurred: no implicit conversion of nil into String

EDIT:

Better code? At least the errors have stopped.

ruby {
    code => "event.cancel if event.timestamp.to_i < (Time.now.to_i - (86400*10))"
}

magnusbaeck · May 8, 2018, 7:29pm

The latter looks okay, but consider using the age filter.

system · June 5, 2018, 7:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.