How to Reference field value(s) in Logstash

Hey Elastic Team,

First time post here so please let me know if you need more detail, I'll try to provide as much context as possible.

I am trying to create a visualisation based on snmp data coming from our firewall. Specifically trying to visualise the incoming and outgoing traffic in bytes. I have the data ingesting with no problem at all, however, the way that the firewall outputs the data is by adding the amount of bytes used in a timeframe and adding it to a running total with a maximum of 32 bit in number form (4,294,967,295) and resetting the total once the maximum is used.

My problem lies in trying to visualise the change in these numbers. To do this, I want to take the most recent value of say, the inbound traffic from the most recent log, and compare it to the value of the same field from previous log in the stream.

Is there a way to reference the value of said fields in Logstash and store them as variables to write a conditional statement to get the output desired.

e.g.
if [value2] > [value1] {
${ACTUAL_VALUE} == [value2] - [value1]
}

Again, if you need further context please let me know and thank you in advance.

You could do it in a ruby filter. Start with

    ruby {
        init => '@lastBytes = 0'
        code => '
            bytes = event.get("bytes").to_i
            if bytes
                event.set("someField", bytes - @lastBytes)
                @lastBytes = bytes
            end
        '
    }

You will need pipeline.ordered set to true and pipeline.workers set to 1.

Thank you, I'll try this out!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.