Global variables in LS possible?

seanziee · February 14, 2017, 2:08pm

So I'm an amateur ruby user and I'm trying to figure this out, but a bit hard trying to mesh my limited ruby knowledge and trying to incorporate it with how the ruby plugin works in logstash.

I'd like to somehow save a global variable or array that I can use in consecutive logstash ingest events.

For example:

The first time logstash starts, it imports a document with field AppDomain: 12345. I'd like to store this document's field, "subject", in an array, FlaggedSubjects, and then logstash finishes its run and outputs as normal to ES. Then the next time it runs, I want all of the next documents with a subject to come through and check if it's AppDomain is the same as the first one by looking at FlaggedSubjects[0]. If it isn't then it can go through and if it is, I want to do some action.

I can't seem to get an array to be "global" or usable between different logstash ingest events. Is this at all possible with logstash? Before I spend another couple days on this, it would be good to know if I'm even going in the right direction.

Here's what I've written thus far:

if 12345 in [AppDomain]{
ruby {
            init => ""
            code => "
            FlaggedSubjects = Array.new;
            FlaggedSubjects << event.get('subject')"
}
if [subject]{
ruby {
            init => ""
            code => "
            if event.get('AppDomain') == FlaggedSubjects[0]
            event.set('tags','HELLO')
            end"
            
}

Any help?

paz · February 14, 2017, 2:31pm

You can define a global variable as far as I know, like so (prepend with $ and move it to init block, so it won't get re-initialized each run) :

if 12345 in [AppDomain]{
ruby {
init => "$FlaggedSubjects = Array.new;"
code => "
$FlaggedSubjects << event.get('subject')"
}
if [subject]{
ruby {
code => "
if event.get('AppDomain') == $FlaggedSubjects[0]
event.set('tags','HELLO')
end"

}

Btw, why use an array if you always check against the first element only?

seanziee · February 14, 2017, 2:51pm

So I'll be filling the array with many different values later and running a loop to cycle through all the values to cross check, but only after I can get one to stay. Making this work is just step 1

But regardless, I've tried what you recommended and the value of FlaggedSubjects[0] is not being set into the field 'tags'. 'tags' remains unchanged when I try this set up and this is the error:

Ruby exception occurred: undefined local variable or method `taggedLogs' for<LogStash::Filters::Ruby:0x7613899a

Any idea?
EDIT: I was missing an $ in front of the array in the code section. Testing things out now!

system · March 14, 2017, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.