Logstash filtering on eventId in ruby

dries_vanherpe · June 11, 2019, 7:48am

So im trying to filter with the ruby filter plugin in Logstash. Im pretty new to ruby and Logstash but I have tried some code and it doesn't seem to work. It looks like it won't go inside the CSV.foreach. I want to give a weight to certain event ids in the csv.
this is my logstash.conf :

input {
  beats {
      port => 5000
    }
}


filter {
  ruby {

    code =>
    "
    require 'csv'
    content = File.read('/usr/share/logstash/CSV/DC.csv')
    csv = CSV.parse(content, headers:true)
    id = event.get('winlog.event_id')
    csv.each do |row|
        if row['Event ID'] == id
            event.set('weigth', row['Weigth'])
        end
    end
    if event.get('Weigth').nil?
        event.set('Weigth', 0)
    end
 "
  }
}
output {
   elasticsearch {
		hosts => "elasticsearch:9200"
		user => #######
		password => ######
	}
}

my csv looks like this :

Event ID;Weight
4672;100
4625;80
4648;80
4657;80
4657;80

The result I get is something like this where weight is standard 0 :

Badger · June 11, 2019, 9:42am

Your csv has a column 'Weight' but your configuration is looking for 'Weigth'.

dries_vanherpe · June 11, 2019, 1:03pm

solved it

require 'csv'
content = File.read('/usr/share/logstash/CSV/DC.csv')
csv = CSV.parse(content ,col_sep:';', headers:true)
id = event.get('[winlog][event_id]')
csv.each do |row|
    if row[0].to_s == id.to_s
        event.set('weigth', row[1])
    end
end
if event.get('weigth').nil?
    event.set('weigth', 0)
end 
"

system · July 9, 2019, 1:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.