Logstash concatenate two field values from metricbeat

Elastic Stack Logstash
1

Hello All,

Can someone help with this,I need to concatenate two fileds from metricbeat and create other filed with this concatenated value.Tried to use mutate filter didn't worked.

filter{
mutate { add_field => { "mount.point.usage" => "%{host.name} %{system.filesystem.mount_point.keyword}" } }
}

ex:
output req-mount.point.usage:hostone /dev/kpti[note-space between host and mount point]
I'm getting wrong output,can someone tell how to get correct output?

Thanx,
wrong

2

Should be something like this.

mutate { add_field => { "mount.point.usage" => "%{[host][name]} %{[system][filesystem][mount_point][keyword]}" } }
1 Like
3

@aaron-nimocks Thanks for your quick response :smiley: It worked,thanks !.
Can you please even guide me on this as well?

The below code doesn't execute,Is it the right way written?,I'm trying to calculate
CPU % and want to display all those host which are critical,i.e above 90%.

filter{
 ruby
	   {
	      code => "
		  
		            userpct=event.get('system.cpu.user.pct')
					systempct=event.get('system.cpu.system.pct')
					cores=event.get('system.cpu.cores')
					cpuusage=((userpct+systempct)/cores)
					if (cpuusage > 0.9)
					{
					  event.set('system.cpu.status','CPUCritical')
					}
					else
					{
					  event.set('system.cpu.status','CPUHealthy')
					}
		  
		      "
	   }

}

[2022-03-18T22:17:03,897][ERROR][logstash.filters.ruby ][main] error in register {:message=>"(ruby filter code):11: syntax error, unexpected '\n'\n\t\t\t\t\t}\r\n ^", :exception=>SyntaxError, :backtrace=>["org/jruby/RubyKernel.java:1048:in eval'", "C:/Users/Prashant/Downloads/ELK/logstash-8.1.0/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:63:in register'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:75:in register'", "C:/Users/Prashant/Downloads/ELK/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:232:in block in register_plugins'", "org/jruby/RubyArray.java:1821:in each'", "C:/Users/Prashant/Downloads/ELK/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:231:in register_plugins'", "C:/Users/Prashant/Downloads/ELK/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:590:in maybe_setup_out_plugins'", "C:/Users/Prashant/Downloads/ELK/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:244:in start_workers'", "C:/Users/Prashant/Downloads/ELK/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:189:in run'", "C:/Users/Prashant/Downloads/ELK/logstash-8.1.0/logstash-core/lib/logstash/java_pipeline.rb:141:in block in start'"]}
[2022-03-18T22:17:03,935][INFO ][logstash.outputs.Elasticsearch][main] Using a default mapping template {:es_version=>7, :ecs_compatibility=>:v8}
[2022-03-18T22:17:03,938][ERROR][logstash.javapipeline ][main] Pipeline error {:pipeline_id=>"main", :exception=>#<RuntimeError: unexpected error: (ruby filter code):11: syntax error, unexpected '\n'

4

I don't know if the Ruby portion works because I don't have those values and data but your first issue was with formatting. With this it should at least start and process the data so you can see if it's working from there.

filter{
  ruby {
    code => "
      userpct = event.get('system.cpu.user.pct')
      systempct = event.get('system.cpu.system.pct')
      cores = event.get('system.cpu.cores')
      cpuusage = ((userpct+systempct)/cores)

      if (cpuusage > 0.9)
        event.set('system.cpu.status','CPUCritical')
      else
        event.set('system.cpu.status','CPUHealthy')
      end
    "
  }
}
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.