I'm using translate filter with a set of mappings in dictionary .
{
"@timestamp" => 2021-07-23T11:52:08.000Z,
"Flag" => "16464",
"Flag_Definition" => "liveness test timed outMachine lost serviceservice failed liveness check in last 30 sec"
}
The flag definition field works as expected , but the output seems appended to each other i.e
16464 is a combination of "liveness test timed out" and "Machine lost service" and "service failed liveness check in last 30 sec"
But the result seems to be appended . Is there a way we can seperate them ?
I suspect not. You could convert the flag to binary
ruby {
code => '
flag = event.get("Flag")
if flag {
event.set("[@metadata][flags]", flag.to_i.to_s(2))
}
'
}
then use grok to pick out each bit and test it. However, it might be easier to just do the whole thing in ruby.
ruby {
code => '
flag = event.get("Flag").to_i
flags = []
if 0 != flag & 4 ; flags << "Machine lost service" ; end
if 0 != flag & 16; flags << "liveness test timed out" ; end
if 0 != flag & 64; flags << "service failed liveness check in last 30 sec" ; end
if 0 != flag & 512; flags << "stopped" ; end
if 0 != flag & 2048; flags << "lost certs" ; end
event.set("Flag_Definition", flags)
'
}
Thank you so much @Badger , this works perfectly .
I'm not familiar with ruby code , could you let me know if there's some basic documentation on Logstash's ruby implementation ? I'd like to understand the code .
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.