[ERROR] logstash.filters.ruby

kyk · December 14, 2021, 4:46pm

I have the next ruby code
ruby {
code => '
m = event.get("ip_port").scan(/(\d+.\d+.\d+.\d+):(\d+)->(\d+.\d+.\d+.\d+):(\d+)/)
w = ; x = ; y = ; z =
m.each { |a|
w << a[0].to_fo
x << a[1].to_fo
y << a[2].to_fo
z << a[3].to_fo
}
event.set("ip_source", w)
event.set("port_source", x)
event.set("ip_dest", y)
event.set("port_dest", z)
'
}
And when I'm starting logstash, I have the next error

[2021-12-14T11:41:21,638][ERROR][logstash.filters.ruby ][main][30b39e8ec7a579953c0bbedb55fc148d9456eb0655c801b2bb6f8d7595851567] Ruby exception occurred: undefined method scan' for nil:NilClass {:class=>"NoMethodError", :backtrace=>["(ruby filter code):3:in block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.7/lib/logstash/filters/ruby.rb:93:in inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.7/lib/logstash/filters/ruby.rb:86:in filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in block in multi_filter'", "org/jruby/RubyArray.java:1820:in each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:295:in block in start_workers'"]}

Could you help me to fix the error?

Badger · December 14, 2021, 5:39pm

That is telling you that event.get("ip_port") returned nil, which means there was an event that does not have an [ip_port] field. You should test whether it is nil before using it

port = event.get("ip_port")
if port
    port.scan ....
end

kyk · December 29, 2021, 2:53am

OK, this was a problem. Thanks

kyk · December 29, 2021, 3:10am

Now, I have other problem. The ruby session run without problem but the result is not correct. For example:
Field:
ip_port: "10.10.0.1:2526->20.20.0.1:80; 11.11.0.2:3437->20.20.0.1:80"

Filter:
ruby {
code => '
m = event.get("ip_port").scan(/(\d+.\d+.\d+.\d+):(\d+)->(\d+.\d+.\d+.\d+):(\d+)/)
w = ; x = ; y = ; z =
m.each { |a|
w << a[0].to_fo
x << a[1].to_fo
y << a[2].to_fo
z << a[3].to_fo
}
event.set("ip_source", w)
event.set("port_source", x)
event.set("ip_dest", y)
event.set("port_dest", z)
'
}

Result:
ip_source: 10.10, 11.11
port_source: 2526.0, 3437.0
ip_dest: 20.20, 20.20
port_dest: 80.0, 80.0

The result is not correct

Could you help me to fix the error?

Badger · December 29, 2021, 3:14am

Can you ask that as a new question? Also, you need to use markdown to make it readable.

I will take a look in the morning.

system · January 26, 2022, 3:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.