How to prevent clobbering in translate filter

Hello ,

I'm using translate filter with a set of mappings in dictionary .


{
                  "@timestamp" => 2021-07-23T11:52:08.000Z,
             "Flag" => "16464",
    "Flag_Definition" => "liveness test timed outMachine lost serviceservice failed liveness check in last 30 sec"
}

The flag definition field works as expected , but the output seems appended to each other i.e
16464 is a combination of "liveness test timed out" and "Machine lost service" and "service failed liveness check in last 30 sec"

But the result seems to be appended . Is there a way we can seperate them ?

How is the translate filter configured?

Here's the translate filter

translate
{
field => "[Flag]"
destination => "[Flag_Definition]"
dictionary => {
"4" => "Machine lost service"
"16" => "liveness test timed out"
"64" => "service failed liveness check in last 30 sec" 
"512" =>  "stopped"
"2048" => "lost certs"
}
fallback => "Unknown Flag"
exact => false

I do need to create some more combinations of these flag, im not sure if translate is the right filter .

For example : the flag 2560 is a combination of

512:stopped
2048: lost certs

I need this to be displayed on the destination field.

I suspect not. You could convert the flag to binary

ruby {
    code => '
        flag = event.get("Flag")
        if flag {
            event.set("[@metadata][flags]", flag.to_i.to_s(2))
        }
    '
}

then use grok to pick out each bit and test it. However, it might be easier to just do the whole thing in ruby.

    ruby {
        code => '
            flag = event.get("Flag").to_i
            flags = []
            if 0 != flag & 4 ;   flags << "Machine lost service" ; end
            if 0 != flag & 16;   flags << "liveness test timed out" ; end
            if 0 != flag & 64;   flags << "service failed liveness check in last 30 sec" ; end
            if 0 != flag & 512;  flags << "stopped" ; end
            if 0 != flag & 2048; flags << "lost certs" ; end
            event.set("Flag_Definition", flags)
        '
    }
1 Like

Thank you so much :slight_smile: @Badger , this works perfectly .

I'm not familiar with ruby code , could you let me know if there's some basic documentation on Logstash's ruby implementation ? I'd like to understand the code .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.