Correct way to drop older events?

jonrust · May 8, 2018, 5:09pm

I'd like to drop older events at logstash parsing time. Going with 100 days as my cutoff, I tried and failed to do this with the ruby module:

 ruby {
    code => "event.cancel if event.get(@timestamp) < (Time.now - (86400*100))"
 }

Is there a better way to do it? If not, what did i do wrong in the ruby code?

The error i see from LS is:

[2018-05-08T13:10:58,506][ERROR][logstash.filters.ruby ] Ruby exception occurred: no implicit conversion of nil into String

EDIT:

Better code? At least the errors have stopped.

ruby {
    code => "event.cancel if event.timestamp.to_i < (Time.now.to_i - (86400*10))"
}

magnusbaeck · May 8, 2018, 7:29pm

The latter looks okay, but consider using the age filter.

system · June 5, 2018, 7:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop/cancel events with a timestamp older than a given amount of seconds Logstash	4	2071	April 27, 2019
Drop events older than three days Logstash	6	4067	May 23, 2017
Logstash - filter the logevents based on time.send only specified date logs to the output plugin Logstash	2	752	August 31, 2017
Identify lines older than X days Logstash	12	3798	July 6, 2017
Drop Event older than 24 hours Logstash	8	2218	June 11, 2018