Logstash 7.3. ruby undefined method split

Elastic Stack Logstash
1

Hi,
I don't know how to use the filebeat fields listed here:
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-log.html
In logstash.

I need to extract the application name from "log.file.path" field

This is how I see "log.file.path" in Kibana

/home/elk/sample_logs/bdp/hive/hadoop-cmf-hive-HIVESERVER2-cv38x072-internal.sos.kb.cz.log.out

where "hive" is the application name i wan't work with.

This has worked in Logstash 6.8:
ruby {
code => "event.set('app_name',event.get('source').split('/')[-2])"
}

Now with logstash 7.3. it gives an ERROR:
/elastic/log/logstash/logstash-plain.log:[2019-08-26T13:08:52,098][ERROR][logstash.filters.ruby ] Ruby exception occurred: undefined method `split' for nil:NilClas

2

You are trying to split [source] but you are saying the path is in [log][file][path].

3

I'm seing log.file.path field in Kibana and it contains the data I need.

Before upgrading To Logstash 7.3. i used this
ruby {
code => "event.set('app_name',event.get('source').split('/')[-2])"
}

But now it's not working, so I need to figure out, how to get the data now.

4

kibana and logstash have different ways of representing fields inside objects. If the log object contains a field called file then kibana will call it log.file, but in logstash that is referenced using [log][file].

5

thank's a lot for help! :slight_smile:

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.