Input and output "message" field in Ruby filter

Elastic Stack Logstash
1

I am having difficulties with the Ruby filter. As I understand it, "message" is the default field that contains your input. What I want to do is take my input and filter the whole message string into my Ruby filter (which in my case is calling and providing input to a javascript file).

What is not at all clear to me is how to simply get the entire input message in Ruby. How do I get the "message" field into Ruby and how do I get it out at the end? Again, I want to process the entire string from my input, not just a specific field. Any help is much appreciated.

    input {
      file {
        path => "/Users/xxxxx/Documents/xxxxx/example.log"
        }
    }
    filter{
ruby {
  code => '
          require "open3"
          inputString = "message"
          cmd =  "node Users/xxxx/Documents/xxxx/exampleJS/test.js #{inputString}"
          stdin, stdout, stderr = Open3.popen3(cmd)
          event.set("message", stdout.read)
          err = stderr.read
          if err.to_s.empty?
            filter_matched(event)
          else
            event.set("message", err)
          end'
  }
  json {
     source => "message"
  }
}

By the way I based the above code on this post.

2

In a ruby filter you can use event.get("message") to access the whole [message] field.

1 Like
3

Thank you I got it working. For reference here is my working solution, it takes in a stringified json file, does a transformation in javascript and outputs as json file:

filter{
      ruby {
        code => '
          require "open3"
          jsonString = event.get("message")
          cmd =  "node /Users/xxx/Documents/xxx/exampleJS/test.js #{jsonString}"
          stdin, stdout, stderr = Open3.popen3(cmd)
          event.set("message", stdout.read)
          err = stderr.read
          if err.to_s.empty?
            filter_matched(event)
          else
            event.set("message", err)
          end'
  }
  json {
     source => "message"
  }
}
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.