If condition loop on array

Elastic Stack Logstash
1

{
Hello, I was reading several posts how to loop through with array but I don't know how to iterate on each value and then rename.
I tried with split but it creates a document for each value ( I want a doc with all values)
I was able to use the following code but I would like to know how to iterate for each value (example)
tabladiscos[0]["3.2.5.1.1.73"]
tabladiscos[1]["3.2.5.1.1.73"]
tabladiscos[2]["3.2.5.1.1.73"]...

I have this code:

input {
  snmp {
    tables  => [{"name" => "tabladiscos" "columns"  => [".1.3.6.1.4.1.232.3.2.5.1.1.73"]}]
    hosts => [
      {host => "udp:xx.xxx.xxx.xxx/161" community => "site1" version => "2c" retries => 2 timeout => 1000},
      {host => "udp:xx.xxx.xxx.xxx/161" community => "site1" version => "2c" retries => 2 timeout => 1000},
      {host => "udp:xx.xxx.xxx.xxx/161" community => "site1" version => "2c" retries => 2 timeout => 1000}
    ]
    mib_paths => ["/usr/share/snmp/mibs/"]
    interval => 120
    #OID_ROOT_SKIP = OID root digits to ignore in the event field name
    oid_root_skip => 7
  }
}
filter {
  if ([tabladiscos][0][3.2.5.1.1.73]){
    mutate {
      rename => {"[tabladiscos][**0**][3.2.5.1.1.73]" => "disk01"}
    }
  }if ([tabladiscos][1][3.2.5.1.1.73]){
    mutate {
      rename => {"[tabladiscos][**1**][3.2.5.1.1.73]" => "disk02"}
    }
  }if ([tabladiscos][2][3.2.5.1.1.73]){
    mutate {
      rename => {"[tabladiscos][**2**][3.2.5.1.1.73]" => "disk03"}
    }
    }else {
    drop {} }
}

in Kibana a JSON file is like this:

  "_index": "ilohost",
  "_type": "_doc",
  "_id": "gmUd25lBsPB1x",
  "_version": 1,
  "_score": 1,
  "_source": {
    "@timestamp": "2023-06-20T23:22:16.726Z",
    "@version": "1",
    "disk03": 2,
    "tabladiscos": [
      {
        "index": "0.16"
      },
      {
        "index": "0.17"
      },
      {
        "index": "0.18"
      },
      {
        "index": "0.19",
        "3.2.5.1.1.73": 2
      }
    ],
    "host": "xx.xxx.xxx.xx"
    "disk01": 2,
    "disk02": 2
  },
  "fields": {
    "tabladiscos.3.2.5.1.1.73": [
      2,
      2,
      2,
      2
    ],
    "disk03": [
      2
    ],
    "tabladiscos.index": [
      "0.16",
      "0.17",
      "0.18",
      "0.19"      
    ],
    "@version.keyword": [
      "1"
    ],
    "@timestamp": [
      "2023-06-20T23:22:16.726Z"
    ],
    "tabladiscos.index.keyword": [
      "0.16",
      "0.17",
      "0.18",
      "0.19"
      
    ],
    "@version": [
      "1"
    ],
    "host": [
      "xx.xxx.xxx.xx"
    ],
    "host.keyword": [
      "xx.xxx.xxx.xx"
    ],
    "disk01": [
      2
    ],
    "disk02": [
      2
    ]
  }
}
2

If there are a variable number of entries you would need a ruby filter. Something like

ruby {
    code => '
        discos = event.get("tabladiscos")
        if discos.is_A? Array
            target = 1
            discos.each_index { |i|
                if discos[i]["3.2.5.1.1.73"]
                    event.set("disk" + target.to_s.rjust(2, "0"), discos[i]["3.2.5.1.1.73"])
                    target += 1
                end
            }
        end
    '
}

I haven't tested that, but hopefully it helps.

3

Thanks Badger for this quick response, let me check if works and will answer here.
I´m not familiar with ruby and I didn't know how to change each number (1,2, 3, ....) as a variable.

4

AMAZING, thank you very much !!!!!
it works as I want :star_struck:
could you tell me where can learn ruby? I´m a nobbie on it

I only had to modify the uppercase A and put as discos.is_a?

This is JSON result and how it shows on kibana

{
  "_index": "ilohost",
  "_type": "_doc",
  "_id": "G8wE3YgBytP59SAoyF4M",
  "_version": 1,
  "_score": 1,
  "_source": {
    "NicEnableStatus": 2,
    "@version": "1",
    "InterfaceStatus": 2,
    "disk26": 2,
    "SelfTestErrors": 0,
    "disk15": 2,
    "@timestamp": "2023-06-21T08:14:18.019Z",
    "disk02": 2,
    "disk12": 2,
    "disk14": 2,
    "disk06": 2,
    "BatteryPercentCharged": 0,
    "disk25": 2,
    "disk17": 2,
    "disk10": 2,
    "disk11": 2,
    "disk24": 2,
    "disk23": 2,
    "disk03": 2,
    "PendingAlerts": 2,
    "disk04": 2,
    "disk16": 2,
    "disk22": 2,
    "disk05": 2,
    "tabladiscos": [

image
image1060×724 32.5 KB

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.