Event.set does not work

stemons · February 25, 2022, 10:54pm

Hello, I'm trying to create new field in my filter, but seems that event.set does not work properly. I can't see neither errors nor the new fields in elastic.

I had to add the if condition since the field is not contained in all the document. How can I add the new derived field?

ruby {
        init => "require 'time'"
        code => "
                 duration = (event.get('@timestamp').to_i - event.get('start_date').to_i)/60/60;
                 event.set('system.process.cpu.duration', duration);
                 if event.get('system.filesystem.free') != nil
                        fs_gb = event.get('system.filesystem.free') / (1024*1024*1024);
                        event.set('system.filesystem.free_gb', fs_gb);
                 end
                 if event.get('system.cpu.total.pct') != nil
                        cpu_pct = event.get('system.cpu.total.pct') * 100;
                        event.set('system.cpu.total.pct_100', cpu_pct);
                 end
                 if !event.get('system.cpu.total.pct').nil?; event.set('cpu_pct',event.get('system.cpu.total.pct') * 100);end
                "
    }

Consider that only system.process.cpu.duration is set properly

Badger · February 25, 2022, 11:35pm

If that is coming from metricbeat you would have to use

 if event.get('[system][filesystem][free]')

and so on. logstash does not use the naming convention for fields inside objects that beats and elasticsearch use.

stemons · February 28, 2022, 10:20am

I'm making the same exercise for an aws rds metric, but it is not work. Here is the configuration. Are this module has a different syntax?

 if event.get('[aws][rds][free_storage][bytes]') != nil
                                rds_free_gb = event.get('[aws][rds][free_storage][bytes]') / (1024*1024*1024);
                                event.set('[aws][rds][free_storage][gb]', rds_free_gb);
                          end

stemons · March 2, 2022, 8:33am

Enyone faced the same issue with this metricbeat module? How could I read the incoming events to check the syntax?

system · March 30, 2022, 8:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Basic ruby field adding not working Logstash	3	535	April 14, 2020
Need some help with Ruby event.set / get to use multiplication in config Logstash	3	5962	February 18, 2019
Update of field created by ruby script Elasticsearch	4	593	February 15, 2021
Logstash event ruby code Logstash	13	10184	December 26, 2017
Mapping fields from logstash Logstash	3	1801	July 13, 2017

Event.set does not work

Related topics