Grok - how to add field with values from existing fields?

Elastic Stack Logstash
1

The following is a pull of metrics from a jmx application.
The question is how to build a grok pattern, which will use the metric_path: as field name(it's changing constantly) and use metric_value_number as the numeric value?

Thank you in advance.

metric_value_number:1 
path:/opt/jmxd/ 
@timestamp:January 5th 2018, 12:16:16.652 
@version:1 
host:server1 
metric_path:dumper.PlugableGroupConsumer-0.running_bool 
type:jmx 
_id:NLEJxmABgpl3QdqYJlaX 
_type:jmx 
_index:jmx-2018.01.05 
_score: -```
2 
mutate {
  add_field => {
    "%{metric_path}" => "%{metric_value_number}"
  }
}
3

Hey, thanks a lot, that worked, but the value comes out as a string. Is there a way to make it numeric?

maybe:


filter {
mutate {
 add_field => {
   "%{metric_path}" => "%{metric_value_number}"
 }}
filter{
mutate{
convert => {
"dumper.BufferPool.direct.Count" => "integer",
"dumper.BufferPool.direct.Name"  => "integer",
"dumper.BufferPool.direct.ObjectName" => "integer",
"dumper.BufferPool.direct.MemoryUsed" => "integer",
"dumper.BufferPool.direct.TotalCapacity" => "integer",
"dumper.BufferPool.mapped.Count" => "integer",
"dumper.BufferPool.mapped.MemoryUsed" => "integer",
"dumper.BufferPool.mapped.Name" => "integer",
"dumper.BufferPool.mapped.ObjectName" => "integer",
"dumper.BufferPool.mapped.TotalCapacity" => "integer",
"dumper.GarbageCollector.ConcurrentMarkSweep.CollectionCount" => "integer",
"dumper.GarbageCollector.ConcurrentMarkSweep.CollectionTime" => "integer",
"dumper.GarbageCollector.ParNew.CollectionCount" => "integer",
"dumper.GarbageCollector.ParNew.CollectionTime" => "integer",
"dumper.HdfsDumper-default-urlinfo-click-stream-1_0.errorCounter" => "integer",
"dumper.HdfsDumper-default-urlinfo-click-stream-1_0.filesCounter" => "integer",
"dumper.HdfsDumper-default-urlinfo-click-stream-1_0.messageCounter" => "integer",
"dumper.HdfsDumper-default-urlinfo-click-stream-1_0.writerMessageCounter" => "integer",
"dumper.KafkaGroupMonitor.lastRefresh" => "integer",
"dumper.KafkaGroupMonitor.listOfmyPartitions" => "integer",
"dumper.KafkaGroupMonitor.maxLag" => "integer",
"dumper.KafkaGroupMonitor.myClientsStr" => "integer",
"dumper.KafkaGroupMonitor.myMaxLag" => "integer",
"dumper.KafkaGroupMonitor.myPartitions" => "integer",
"dumper.KafkaGroupMonitor.orphanPartitions" => "integer",
"dumper.Memory.HeapMemoryUsage.committed" => "integer",
"dumper.Memory.HeapMemoryUsage.init" => "integer",
"dumper.Memory.HeapMemoryUsage.max" => "integer",
"dumper.Memory.HeapMemoryUsage.used" => "integer",
"dumper.Memory.NonHeapMemoryUsage.committed" => "integer",
"dumper.Memory.NonHeapMemoryUsage.init" => "integer",
"dumper.Memory.NonHeapMemoryUsage.max" => "integer",
"dumper.Memory.NonHeapMemoryUsage.used" => "integer",
"dumper.Memory.ObjectName" => "integer",
"dumper.Memory.ObjectPendingFinalizationCount" => "integer",
"dumper.Memory.Verbose_bool" => "integer",
"dumper.PlugableGroupConsumer-0.errorCounter" => "integer",
"dumper.PlugableGroupConsumer-0.messageCounter" => "integer",
"dumper.PlugableGroupConsumer-0.running_bool" => "integer",
"dumper.Runtime.StartTime" => "integer",
"dumper.Runtime.Uptime" => "integer",
"dumper.UrlInfoDumperApp.messageCounter.messageCounter" => "integer",
"dumper.maxFetcherLag.Value" => "integer"
 }}
}
}
4

Yes, or if you don't want to enumerate all fields you could write a snippet of Ruby in a ruby filter to e.g. convert any field with a dot in the name.

5

should i use just convert or is there something better for that . for the sake of testing i tried this on a completely new index and it keeps pulling the numbers as strings.

6

should i use just convert or is there something better for that .

You're using the right tool.

for the sake of testing i tried this on a completely new index and it keeps pulling the numbers as strings.

Please show an example document, e.g. by copy/pasting from Kibana's JSON tab.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.