Logstash/grok to match only first occurrence and stop parsing repeatedly for same values

Badger · May 27, 2021, 11:09pm

What I would do is

    grok {
        pattern_definitions => { "CUSTOMTIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME}" }
        match => { "message" => "%{CUSTOMTIME:[@metadata][timestamp]} %{GREEDYDATA:[@metadata][restOfLine]}" }
    }
    date { match => [ "[@metadata][timestamp]", "EEE MMM dd HH:mm:ss" ] }
    ruby {
        init => '@lastValue = nil'
        code => '
            now = event.get("@timestamp").to_f
            if @lastValue == nil
                @lastTime = now
            end

            value = event.get("[@metadata][restOfLine]")
            if value == @lastValue
                event.cancel
            else
                delta = now - @lastTime
                event.set("delta", delta)
                @lastTime = now
            end
            @lastValue = value
        '
    }

Topic		Replies	Views
Stop proccesing events/lines after first grok match Logstash	11	2780	February 9, 2020
Logstash read previous events fields from elasticsearch in case of high events rate Logstash	4	560	February 14, 2021
Grok filter only uses last match, can this be changed? Logstash	1	762	December 23, 2016
Save a value to variable Logstash	5	1420	July 6, 2017
Iteration in Logstash Logstash	5	14161	July 6, 2017

Logstash/grok to match only first occurrence and stop parsing repeatedly for same values

Related topics