Divide two fields and store in a new field to be visualized in Kibana

Elastic Stack Logstash
1

I would like to take two fields from a GROK filter and divide the two to get the number of events occurring in one second.
ES, LS, FB, Kibana all 5.0.

Something like this time_per_sel = enrichtime / totalsel.

Input:
2016-14-12 14:45:33,655 [sdfsdfd] DEBUG were.were.werwer - Total TEST Enrichment Time: 12591 for 1 total selectors /teset/setset/setst/setwetghdfgh 200

GROK Filter:

grok {
  match => { "message" => ".*Enrichment Time: %{INT:enrichtime:int} for %{INT:totalsel:int} "}
}

I believe that I need to use Ruby code to do this since it currently isn't available in the ELK stack natively.

2

Yes, you need a ruby filter for this.

ruby {
  code => "event.set('time_per_sel', event.get('enrichtime') / event.get('totalsel'))"
}
2 Likes
3

Thanks for the help! I was close but off slightly on my event.get calls.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.