Getting sum of a field in xml

Ameeruddin_Mohammed · October 10, 2020, 8:45pm

hi, i am new to elk. with a lot of googling and checking responses of @Badger i was able to come up with a working config to load data as i wanted.

sample loaded data

{
"@timestamp" => xxx,
"host" => "xxx",
"data" => {
"pmAverageSirError" => "3354,860,908,1053,1414,1868,1263,1603,1607,2122,1538,2226,1701,1911,1735,2866,2196,2572,3087,4539,8700,40007,9578,1393,708,382,304,217,172,119,90,79,65,57,62,42,38,35,25,22,22,171",
"measObjLdn" => "ManagedElement=xxx,NodeBFunction=1,NodeBLocalCellGroup=1,NodeBLocalCell=xxx,RadioLinks=1"
},
"tags" => [
[0] "multiline",
[1] "_rubyexception"
],
"@version" => "1",
"path" => "xxx"
}

now i want to sum a field so i tried

ruby {
code => '
a = event.get("[data][pmAverageSirError]")
if a
sum = 0
a.each_index { |x|
sum += a.to_i

		        }
		        event.set("sum_pmAverageSirError", sum)
				event.set("test", a)
		    end
		'
	}

please support.

Badger · October 10, 2020, 9:20pm

Ruby arrays are Enumerable, and the Enumerable module has a sum function.

    ruby {
        code => '
            a = event.get("[data][pmAverageSirError]")
            if a
                a = a.split(",")
                a.each_index { |x| a[x] = a[x].to_i }
                event.set("sum_pmAverageSirError", a.sum)
            end
        '
    }

Ameeruddin_Mohammed · October 10, 2020, 9:34pm

Badger:

    ruby {
        code => '
            a = event.get("[data][pmAverageSirError]")
            if a
                a = a.split(",")
                a.each_index { |x| a[x] = a[x].to_i }
                event.set("sum_pmAverageSirError", a.sum)
            end
        '
    }

thanks for the reply. it works. is it possible from my previous config that i can move everything our of data array and have only the actual fields and values?

i am using a code provided by you in some thread.

        xml { source => "message" target => "[@metadata][theXML]" force_array => true }
    ruby {
        code => '
            xml = event.get("[@metadata][theXML]")
            types = xml["measType"]
            values = xml["measValue"]
            a = []
            values.each { |x|
                h = {}
                h["measObjLdn"] = x["measObjLdn"]
                x["r"].each_index { |i|
                    h[types[i]["content"]] = x["r"][i]["content"]
                }
                a << h
            }
            event.set("data", a)
        '
    }
	
			if ([data]) {
				split { field => "[data]" }
				}

Badger · October 11, 2020, 9:19pm

To move sub-fields to the top level you can use code like this.

system · November 8, 2020, 9:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using ruby filter to sum values of nested objects everytime the event matches Logstash	1	464	March 19, 2020
Not able to loop and read key value pairs in logstash Logstash	5	705	September 16, 2018
How to get the sum in time of values in Lens Kibana	52	2773	September 2, 2022
How to make sum(field)-sum(field2) and get a single result for all documents Logstash	4	1488	July 9, 2019
Logstash aggregate function Logstash	1	288	January 12, 2021

Getting sum of a field in xml

Related topics