If statement ruby filter

Elastic Stack Logstash
1

Hi,
I have a small problem in if statement under ruby
here my code:

filter {
grok { match => { "message" => "%{GREEDYDATA:log_message}"    }}
mutate { split => {"message" => "|"} }
ruby {
      code => "event.set('number_of_elements', event.get('message').length)
               event.set('x', 0)
               if 'EXCEPTION' in [log_message]
                   event.set('DETAIL EXCEPTION', event.get('message')[event.get('x')])
               end
               "
      }
}

Maybe syntax or something else ...?

Any help would be sincerely appreciate!
Thanks!

2

Indeed. Try

    ruby {
        code  => '
            event.set("number_of_elements", event.get("message").length)
            event.set("x", 0)
            if event.get("log_message").include?("EXCEPTION")
                event.set("DETAIL EXCEPTION", event.get("message")[event.get("x")])
            end
        '
    }

But why bother setting the field x, why not use event.get("message")[0]?

3

Thanks for the reply
indeed, my goal is that when I add a field, I want it to take the value of message[0] message[1]message[2]....

ruby {
      code => "event.set('DateTime', event.get('message')[event.get('x')])
               event.set('x', (event.get('x')) + 1)
               event.set('version', event.get('message')[event.get('x')])
               event.set('x', (event.get('x')) + 1)
               event.set('GateWay Operation', event.get('message')[event.get('x')])
               event.set('x', (event.get('x')) + 1)
               if event.get('GateWay Operation') == 'PAIEMENT   '
                   event.set('Id', event.get('message')[event.get('x')])
                   event.set('x', (event.get('x')) + 1)
               end
               if event.get('log_message').include?('EXCEPTION')
                   event.set('DETAIL EXCEPTION', event.get('message')[event.get('x')])
               end
"    
}

so in this case if ('GateWay Operation') == 'PAYMENT ' "Id" it will be message[3] ok then if EXCEPTION in log_message "DETAIL EXCEPTION" this will be message[4], right?
Ok now imagine ('GateWay Operation') != 'PAYMENT' and EXCEPTION in log_message so in this case "DETAIL EXCEPTION" will be in message[3] not 4. so imagine I have so a lot if condition like this that's why i am using this but i don't know if i can optimize my code.

4

I understand now why you cannot use a csv filter, but I would do it all in one ruby filter.

ruby {
    code => '
        m = event.get("message").split("|")
# .shift removes the first value in an array and returns it
        event.set("DateTime", m.shift)
        event.set("version",  m.shift)
        event.set("GateWay Operation", m.shift)
        if event.get("GateWay Operation") == 'PAIEMENT   '
            event.set("Id", m.shift)
        end
        if event.get("log_message").include?("EXCEPTION")
            event.set("DETAIL EXCEPTION", m.shift)
        end
    '
}
1 Like
5

Wow i liked this one thank you very much @Badger last thing please about the if statement too

ruby {
code => "if #the rest of the pipe is == 5 blocks
    event.set('Status', m.shift)
    event.set('Code', m.shift)
end"
}

if the rest of the pipeline = 5 I'm new to ruby filter so I'm not good at ruby filter syntax sorry about that. and I don't know if it's possible to verify the rest of the pipeline.

Once again thank you @Badger

6

Not sure what you mean but maybe if m.length == 5?

1 Like
7

Exactly thank you!

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.