Filtering and output the first item to elastic

kileou78 · June 18, 2020, 12:24pm

Hi everybody

I'm collecting using an API and filebeat a list of computer's status OK or KO
I would like to store on elastic a global status for this group of computer
My list is sorted by state, "0" for OK and "2" for KO
My current solution is to use any logstash possibility (filtering perhaps) to extract the first computer status and send it to elastic.
if i have one state = 2 in my list, my global status will be KO
if any state =2 i will send status = 0 to elastic

Please find below the details :
this is the result of my query sent to logstash using filebeat

 [ 
  {
      "host_name" : "computer2",
      "last_check" : 1592473989,
      "state" : 2
   },
   {
      "host_name" : "Computer99",
      "last_check" : 1592473793,
      "state" : 0
   }
etc...
]

this is my logstash context

input {
  beats {
    codec => json
    port => 5002
    tags => [ "mytag" ]
  }
}

filter {
  date {
    timezone => "UTC"
    match => [ "last_check","UNIX" ]
    target => "@timestamp"
  }
}

output {
  elasticsearch {
    hosts => ["myelasticsearch:9200"]
    index => "logstash-filebeat-%{+YYYY.MM.dd}"
  }
}

I would like as a result sent to elastic the following. (only the first item)

[ 
  {
      "host_name" : "computer2",
      "last_check" : 1592473989,
      "state" : 2
   }
]

Your help will be very usefull for me, I've tried so many things at the moment.
Thanks very much in advance!
Best Regards
Thierry

Badger · June 18, 2020, 3:04pm

These two seem to be in conflict to me.

kileou78 · June 18, 2020, 4:27pm

Hi badger
Thanks for your time for reading my post
To try to explain much better
As i'm sorting my result by status, the first entry in the list will show the global status i'm expecting for the group of computer belonging to my query.
If i have one status "2" or more in my list. i would like to send one information to elastic with a status 2
If not all the list will contain a status "0" so the first entry will have a status 0. Information that i would like to send also to elastic.
The best method i have imagine is to sent the first entry in my list by filtering the list using logstash.
If you know any simple way to do that, this will be a good improvment for me.
Thanks

Badger · June 18, 2020, 5:00pm

If you want to select the first item of the array [someField] you can use

mutate { add_field => { "someOtherField" => "[someField][0]" } }

kileou78 · June 19, 2020, 8:51am

if my understanding is good. ive done some test also.
Perhaps i should have used "object" instead of "item". Sorry for that.
Your approach consist to add a field in each object "Someotherfield" and link to it the first item in an array called "somefield"
this could be a solution if i had the following and would like to select the first state in my list

[ 
  {
      "host_name" : "computer2",
      "last_check" : 1592473989,
      "state" : [ "0", "1", "3" ]
   },
  {
      "host_name" : "computer99",
      "last_check" : 1592473989,
      "state" : [ "1", "0", "3" ]
   }
]

the result will be in my case to send to elastic one entry by object with a new field in each object.

the goal i would have is to record only the first objet as an input or remove all object except the first one

 [ 
  {
      "host_name" : "computer2",
      "last_check" : 1592473989,
      "state" : 2
   }
]

I think we are close to find the solution

system · July 17, 2020, 8:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.