Logstash - clone event (ruby code)

etfeet · October 23, 2015, 2:21am

I've got some log lines that have a count entry and I would like to clone the event for the value of the count in the log line. I'm using a ruby code to do a for loop for the count #. However, the ruby code is outputting to stdout and no making new events. Any idea how I can use ruby code to make a new event similar to how the clone filter does?

I looked at the clone filter but could not find a way to wrap it in a for loop.

Oct 22 19:07:44 kibana sudo: rory : 3 incorrect password attempts ; TTY=pts/5 ; PWD=/home/rory ; USER=root ; COMMAND=/bin/echo 1234

    if [syslog_message] =~ "incorrect password attempts ;" {
            kv {}
            ruby { code => "event['clone_count'] = Integer(event['fail_count']) - 1" }
            mutate { add_tag => [ "cloneme" ] }
    }

    if "cloneme" in [tags] {
      if "cloned" not in [tags] {
        mutate { add_tag => [ "cloned" ] }
          ruby {
            code => "
              for i in 0..Integer(event['clone_count'])
                    puts event['message']
              end
            "
          }
      }
    }

Thorsten_Nickel · October 27, 2015, 9:17am

Quite honestly, this looks far too complicated for me, especially since using ruby code should in my view only be the final option. Made a quick dig around, perhaps you should have a look at the 'clone' filter, which is used to duplicate events.
Maybe this can help you getting your results.

Kind regards,
Thorsten

Topic		Replies	Views
Clone multiple JSON events from input source count Logstash	1	462	November 20, 2018
Logstash: ruby filter: how to create empty event? Logstash	4	4256	April 20, 2018
How can I create new events in ruby filter? Logstash	2	4597	July 6, 2017
Create new event in ruby filter Logstash	5	3450	October 21, 2017
Proper way to create new event from Logstash Ruby filter Logstash	4	3516	June 9, 2020

Logstash - clone event (ruby code)

Related topics