Logstash - clone event (ruby code)

etfeet · October 23, 2015, 2:21am

I've got some log lines that have a count entry and I would like to clone the event for the value of the count in the log line. I'm using a ruby code to do a for loop for the count #. However, the ruby code is outputting to stdout and no making new events. Any idea how I can use ruby code to make a new event similar to how the clone filter does?

I looked at the clone filter but could not find a way to wrap it in a for loop.

Oct 22 19:07:44 kibana sudo: rory : 3 incorrect password attempts ; TTY=pts/5 ; PWD=/home/rory ; USER=root ; COMMAND=/bin/echo 1234

    if [syslog_message] =~ "incorrect password attempts ;" {
            kv {}
            ruby { code => "event['clone_count'] = Integer(event['fail_count']) - 1" }
            mutate { add_tag => [ "cloneme" ] }
    }

    if "cloneme" in [tags] {
      if "cloned" not in [tags] {
        mutate { add_tag => [ "cloned" ] }
          ruby {
            code => "
              for i in 0..Integer(event['clone_count'])
                    puts event['message']
              end
            "
          }
      }
    }

Thorsten_Nickel · October 27, 2015, 9:17am

Quite honestly, this looks far too complicated for me, especially since using ruby code should in my view only be the final option. Made a quick dig around, perhaps you should have a look at the 'clone' filter, which is used to duplicate events.
Maybe this can help you getting your results.

Kind regards,
Thorsten