Filter decode from Base64

Hi

I'm running Docker image sebp/elk with :

-logstash: 5.4.0
-elasticsearch: Version: 5.4.0, Build: 780f8c4/2017-04-28T17:43:27.229Z, JVM: 1.8.0_121
-kibana: 5.4.0
-ruby: jruby 1.7.25 (1.9.3p551) 2016-04-13 867cb81 on OpenJDK 64-Bit Server VM 1.8.0_121-8u121-b13-0ubuntu1.16.04.2-b13 +jit [linux-amd64]

In the filter {} part I run this ruby code that is not working
Apparently the syntax has change between version 4 and version 5 but I don't know what did change for Base64

filter {
if [rx][moteeui] == "70B3D580A010106A" {
mutate { add_field => { "tln_decoded" => "" } }
mutate { add_field => { "tln_battery_level" => "0.0" } }
mutate { add_field => { "tln_temperature" => "0.0" } }
mutate { convert => { "tln_battery_level" => "float" } }
mutate { convert => { "tln_temperature" => "float" } }

            ruby {
                    init => "require 'base64'"
                    code => "
                            event.set( '[tln_decoded]', Base64.decode64( event.get('[rx][userdata][payload]') ) )
                            event.set( '[tln_battery_level]', ( event.get('[tln_decoded]' )[2..3].to_i(16) / 254.0 )  * 100.0 )
                            event.set( '[tln_temperature]', event.get('[tln_decoded]' )[12..15].to_i(16) / 16.0 )
                            "
            }
    }

}
filter {
if [rx][moteeui] == "70B3D580A010106A" {
mutate { add_field => { "tln_decoded" => "" } }
mutate { add_field => { "tln_battery_level" => "0.0" } }
mutate { add_field => { "tln_temperature" => "0.0" } }
mutate { convert => { "tln_battery_level" => "float" } }
mutate { convert => { "tln_temperature" => "float" } }

            ruby {
                    init => "require 'base64'"
                    code => "
                            event.set( '[tln_decoded]', Base64.decode64( event.get('[rx][userdata][payload]') ) )
                            event.set( '[tln_battery_level]', ( event.get('[tln_decoded]' )[2..3].to_i(16) / 254.0 )  * 100.0 )
                            event.set( '[tln_temperature]', event.get('[tln_decoded]' )[12..15].to_i(16) / 16.0 )
                            "
            }
    }

}

Hope somebody can help
akaii

It looks like you're missing a closing parenthesis for the second and third event.set calls.

hey

still not working I did change the code like this :

filter {
if [rx][moteeui] {
mutate { add_field => { "tln_decoded" => "" } }
mutate { add_field => { "tln_battery_level" => "0.0" } }
mutate { add_field => { "tln_temperature" => "0.0" } }
mutate { convert => { "tln_battery_level" => "float" } }
mutate { convert => { "tln_temperature" => "float" } }
mutate { add_field => { "tln_flow_level_intensite" => "0.0" } }
mutate { convert => { "tln_flow_level_intensite" => "float" } }
mutate { add_field => { "tln_vibration_level" => "0.0" } }
mutate { convert => { "tln_vibration_level" => "float" } }
ruby {
init => "require 'base64'"
code => "
event.set( '[tln_decoded]', Base64.decode64( event.get('[rx][userdata][payload]') ) )
event.set( '[tln_battery_level]', ( event.get('[tln_decoded]' )[2..3].to_i(16) / 254.0 ) * 100.0 )

  		if event.get('[rx][userdata][payload]') == '70B3D580A010106A'
  				event.set( '[tln_flow_level_intensite]', event.get('[tln_decoded]')[12..15].to_i(16) / 254.0 )
  				event.set( '[tln_vibration_level]', ( ( ( event.get('[tln_flow_level_intensite]') - 4 ) * 25.4 ) / 16.0 ) )
  		elseif event.get('[rx][userdata][payload]') == '70B3D580A0101071'
  				event.set( '[tln_temperature]', event.get('[tln_decoded]' )[12..15].to_i(16) / 16.0 )
  		end
  				"
            }
    }

}

I got no errors in /var/logstash/logstash-plain.log when an index is coming in filter.

Regards,
akaii

Please show an example message where the ruby filter did nothing. Use a stdout { codec => rubydebug } output to dump the raw events.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.