Initialize variable in Logstash ruby

Hello.

I have my pipeline configured as follows:

    ...
      mutate {
       add_field => { "append_request_history_array" => [ "%{time_local}, host:%{host}, request_uri:%{request_uri}, user_agent:%{user_agent}] }
      }
      
     fingerprint {
       method => "MD5"
       source => ["myheader"]
       target => ["fingerprint"]
      }

      elasticsearch {
       hosts => ["localhost:9200"]
       index => "logs"
       query => '_id=%{fingerprint}'
       fields => { "request_history_array" => "request_history_array" }
      }

       ruby {
        code => '
         event.set("request_history_array", event.get(request_history_array) + ["append_request_history_array"])
        '
       }
    ...

I get error:

    [2019-02-04T12:53:50,742][ERROR][logstash.filters.ruby    ] Ruby exception occurred: undefined local variable or method `request_history_array' for #<LogStash::Filters::Ruby:0x5d573291>

Why is that? The requested field exists in elasticsearch index that I query.

The ruby code is referencing a variable request_history_array and this is not defined.

I think you will need that to be a string.

I think you are concatenating two arrays, one coming from a ES filter query and one from the mutate/add_field done earlier.

For added clarity, I would make this a multiline ruby code block:

      ruby {
        code => '
          retrieved_array = event.get("request_history_array")
          append_array = event.get("append_request_history_array")
          # the plus operator here is an array concat operation, the second arrays elements are added to the first array,
          # duplicates are possible. Use (retrieved_array + append_array).uniq to remove dups.
          event.set("request_history_array", retrieved_array + append_array)
        '
       }

Thank you for your suggestion.
I was trying to merge two arrays.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.