Deleting an event

Claireshan · May 16, 2020, 11:45am

hello am trying to delete an every event with jnxDomCurrentRxLaserPower == 0. but i keep getting the same output. Now my router has 8 interfaces with only one port active and the others are not enabled but their jnxDomCurrentRxLaserPower is equated to 0 i dont know if they equate the missing value to 0 or null.

Configuration
filter {
mutate {
add_field => { "cpe_ip" => "%{[host]}" }
}

ruby {

 #TODO remove unwanted data (inactive interfaces)

code => "event.cancel if [jnxDomCurrentRxLaserPower] == 0 "

}

if [jnxDomCurrentRxLaserPower] == "0" { drop { }
}

output
[0] {
"jnxDomCurrentRxLaserPowerHighWarningThreshold" => 0,
"index" => "511",
"jnxDomCurrentTxLaserOutputPower" => 0,
"jnxDomCurrentRxLaserPower" => 0,
"jnxDomCurrentRxLaserPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerHighWarningThreshold" => 0
},
[1] {
"jnxDomCurrentRxLaserPowerHighWarningThreshold" => 0,
"index" => "512",
"jnxDomCurrentTxLaserOutputPower" => 0,
"jnxDomCurrentRxLaserPower" => 0,
"jnxDomCurrentRxLaserPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerHighWarningThreshold" => 0
},
[2] {
"jnxDomCurrentRxLaserPowerHighWarningThreshold" => 0,
"index" => "513",
"jnxDomCurrentTxLaserOutputPower" => 0,
"jnxDomCurrentRxLaserPower" => 0,
"jnxDomCurrentRxLaserPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerHighWarningThreshold" => 0
},
[3] {
"jnxDomCurrentRxLaserPowerHighWarningThreshold" => 0,
"index" => "515",
"jnxDomCurrentTxLaserOutputPower" => 0,
"jnxDomCurrentRxLaserPower" => 0,
"jnxDomCurrentRxLaserPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerHighWarningThreshold" => 0
},
[4] {
"jnxDomCurrentRxLaserPowerHighWarningThreshold" => 0,
"index" => "516",
"jnxDomCurrentTxLaserOutputPower" => 0,
"jnxDomCurrentRxLaserPower" => 0,
"jnxDomCurrentRxLaserPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerHighWarningThreshold" => 0
},
[5] {
"jnxDomCurrentRxLaserPowerHighWarningThreshold" => 0,
"index" => "517",
"jnxDomCurrentTxLaserOutputPower" => 0,
"jnxDomCurrentRxLaserPower" => 0,
"jnxDomCurrentRxLaserPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerHighWarningThreshold" => 0
},
[6] {
"jnxDomCurrentRxLaserPowerHighWarningThreshold" => 0,
"index" => "518",
"jnxDomCurrentTxLaserOutputPower" => 0,
"jnxDomCurrentRxLaserPower" => 0,
"jnxDomCurrentRxLaserPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerLowWarningThreshold" => 0,
"jnxDomCurrentTxLaserOutputPowerHighWarningThreshold" => 0
},
[7] {
"jnxDomCurrentRxLaserPowerHighWarningThreshold" => -400,
"index" => "519",
"jnxDomCurrentTxLaserOutputPower" => -581,
"jnxDomCurrentRxLaserPower" => -667,
"jnxDomCurrentRxLaserPowerLowWarningThreshold" => -2397,
"jnxDomCurrentTxLaserOutputPowerLowWarningThreshold" => -1102,
"jnxDomCurrentTxLaserOutputPowerHighWarningThreshold" => -100

Badger · May 16, 2020, 6:20pm

You have a field that is an array of interfaces. You do not say what that is called, but you want to remove interfaces that have jnxDomCurrentRxLaserPower equal to zero. I would do that using something like this (which I have not tested)...

ruby {
    code => '
        fieldName = "interfaceList" # Or whatever it is
        a = []
        event.get(fieldName).each { |interface|
            if interface["jnxDomCurrentRxLaserPower"] != 0
                a << interface
            end
        }
        event.set(fieldName, a)
    '
}

If you only have one active interface then you will end up with an array with one member. If you are sure there will never be more than one active interface you could try

ruby {
    code => '
        fieldName = "interfaceList"
        event.get(fieldName).each { |interface|
            if interface["jnxDomCurrentRxLaserPower"] != 0
                event.set(fieldName, interface)
            end
        }
        
    '
}

which will capture the last active interface.

Claireshan · May 18, 2020, 7:59am

Thank you Badger. that actually worked i just edited something small. so some of the interfaces were actually for Ethernet port so they didnt have rx values and my array was called interfaces. Thank you

code => '
fieldName = "interfaces"
a =
event.get(fieldName).each { |interface|
if interface.include? "jnxDomCurrentRxLaserPower" and interface["jnxDomCurrentRxLaserPower"] != 0
a << interface
end
}
event.set(fieldName, a)
'

system · June 15, 2020, 7:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.