Getting length of array in Logstash using ruby filter

dx123 · October 11, 2018, 7:36am

I have a field, Ports, that is in arrays and is nested.

Examples of my data
"ports": ["TCP1", "TCP2", 'TCP3"]
"ports": ["UDP1", "UDP2"]

However each of these feeds have different number of elements in them. I have to strip the array brackets through the mutate replace filter but before that I need a ruby filter to retrieve the number of elements for each feed for a if-else check.

Desired Output:

filter {
     ruby {
         code => ??? Need help here with the code
     }
 
      mutate {
          if [number of elements] == 3 {
              replace => ["ports", "%{[port][0]} %{[port][1]} %{[port][2]}"]
          }
          else if [number of elements] == 2 {
              replace => ["ports", "%{[port][0]} %{[port][1]}"]
          }
        }
      }

paz · October 11, 2018, 10:20am

To get the length of an array you can use this

ruby {
  code => "
    event.set('number_of_elements', event.get('ports').length)
  "
}

That said, if you just need to flatten the array and keep the information inside as a string, you can do the following instead of the whole conditional of your post (which removes the need for counting array lengths and the mutate filter).

ruby {
  code => "
    event.set('ports', event.get('ports').join(' '))
  "
}

This would convert

"ports": ["TCP1", "TCP2", 'TCP3"]

to

"ports": "TCP1 TCP2 TCP3"

system · November 8, 2018, 10:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Length of an array in logstash Logstash	2	2964	July 6, 2017
Logstash array length check Logstash	15	12186	July 6, 2017
How to use ruby filter Logstash	2	913	July 6, 2017
I would like to access nested data from an array Logstash	7	7599	February 15, 2017
Ruby filter logstash (.length) Logstash	2	220	June 13, 2022

Getting length of array in Logstash using ruby filter

Related topics