How access nested array field from wmibeat

Elastic Stack Elasticsearch
1

Hi,
I am sending wmibeat to logstash and want to change the value of the field returned from string to number. I would normally do this with a mutate or grok in filter section, but I can't seem to get the field parsed correctly.

This is how it looks in Kibana:
wmi.Win32_Process.0.VirtualSize 35568685056

I thought this would work, but it doesn't:
filter {
mutate {
add_field => { "Bytes" => "%{[wmi][Win32_Process].0.[VirtualSize]}" }
convert => { "Bytes" => "float" }
}
}

The output from this is a new field called Bytes with the text above in it:
Bytes %{[wmi][Win32_Process].0.[VirtualSize]}

I have tried various formats of square brackets, using comma notation instead of square brackets, I even tried deciphering the ruby code, but I got completely lost with that. All I want is to convert the field content to a number instead of a string. What am I missing here?

I also run it with debug on and I can see the pipeline event as:
[DEBUG] 2018-10-30 18:23:59.356 [Ruby-0-Thread-10: :1] pipeline - filter received {"event"=>{"tags"=>["production", "fionatest", "wmibeat", "beat", "beats_input_raw_event"], "wmi"=>{"Win32_Process"=>{"0"=>{"Name"=>"filebeat.exe", "VirtualSize"=>"35568685056"}}}, "@timestamp"=>2018-10-30T18:23:54.943Z, "beat"=>{"name"=>"WIN-95VPU63HK0H", "hostname"=>"WIN-95VPU63HK0H"}, "type"=>"wmibeat", "host"=>"WIN-95VPU63HK0H", "@version"=>"1"}}

2

I think this is what you want:

  mutate {
 	add_field => { "Bytes" => "%{[wmi][Win32_Process][0][VirtualSize]}" }
  } 
  mutate {
	convert => { "Bytes" => "integer" }
  }

The syntax is [0] not .0.. Also, you need to use two filters here to ensure that add_field happens before the convert. Also, converting to integer type instead of float since I assume there bytes are integer/long types.

For future Logstash questions please see the #logstash topic.

3

Re logstash forum - oops sorry, I think I started a question in that forum and then went off to try something and posted to this one by mistake!

Thanks for your help - I did get this working finally, although the conversion to a non-string field was harder than I thought it would be. I ended up with this:

filter {
mutate {
add_field => { "Bytes" => "%{[wmi][Win32_Process][0][VirtualSize]}" }
add_field => { "Index_Type" => "wmibeat" }
}
grok { match => { "Bytes" => "%{INT:Bytesxxx}" } }
ruby { code => "event.set('byte2number', event.get('Bytes').to_f)" }
}

I tried the mutate convert but it always gave me a string field.

Anyway, this might not be pretty, but it works :slight_smile:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.