Hi,
In a first time, I tested how to add a field via ruby code based on existing field duration and event
...
ruby {
code => "
if event.get('duration').nil?
event.set('duration_time','')
else
duration_time = event.get('duration').to_i
tmp,seconds = duration_time.divmod(60)
hours, minutes = tmp.divmod(60)
duration_time_s = format('%02d', hours) + ':'+ format('%02d', minutes) + ':' + format('%02d',
seconds)
event.set('duration_time',duration_time_s)
end"}
...
It works.
In a second time I would to add a ruby function to call it in all my logstash configuration.
compute_duration.rb
# the value of `params` is the value of the hash passed to `script_params`
# in the logstash configuration
def register(params)
@compute_duration = params["my_field"]
end
# the filter method receives an event and must return a list of events.
# Dropping an event means not including it in the return array,
# while creating new ones only requires you to add a new instance of
# LogStash::Event to the returned array
def filter(event)
if event.get(@compute_duration).nil?
event.set(@compute_duration.concat('_time'),'')
else
time_l = event.get(@compute_duration).to_i
tmp,seconds = time_l.divmod(60)
hours, minutes = tmp.divmod(60)
time_s = format('%02d', hours) + ':'+ format('%02d', minutes) + ':' + format('%02d', seconds)
event.set(@compute_duration.concat('_time'),time_s)
end
return [event]
end
logstash configuration
ruby {
# compute interval time
path => "/usr/local/analytics/logstashjobs/ruby_code/compute_duration.rb"
script_params => { "my_field" => 'duration' }
}
My logstash configuration retrieve data from CSV file. The first document is ok, but after something strange happen. My new field is concatenated for all others documents like this
duration_time
duration_time_time
duration_time_time_time
duration_time_time_time_time
...
I work with the stack ELK 7.0.1.
If someone has an idea
Regards,
Julien
