Logstash: ruby filter: how to create empty event?

asp · March 9, 2018, 1:40pm

Hi,

Is it possible to create additional empty events in ruby filter plugin?

Only option I found in documentation https://www.elastic.co/guide/en/logstash/current/plugins-filters-ruby.html is to clone the current event.

filter {
  ruby {
    code => "new_event_block.call(event.clone)"
  }
}

I would like create new events on some conditionals. Because the new events should only take a few fields, it would be easier to build up from scratch and add fileds like @timestamp and my fields I would like to store than deleting all not needed fields afterwards.

Then I would like to add the array of events to the return array of filter(event) function.

talevy · March 16, 2018, 5:04pm

Hi @asp!

It is probably best to re-ask this under the Logstash category here: https://discuss.elastic.co/c/logstash

I believe you should be able to call Event.new?

asp · March 21, 2018, 8:06am

moved to correct sub forum

Jon_D · March 23, 2018, 1:53pm

Hi,

I have the same requirement and I was able to find something that seems to work. The following filter example generates 2 new events (beside the original one):

filter {
    ruby {
            code => "
                    require 'pry'
                    generated = LogStash::Event.new
                    generated.set('somefield', 'somevalue')
                    new_event_block.call(generated)

                    anotherone = LogStash::Event.new({'message' => 'withsomedata'})
                    anotherone.set('other', 'need to set more data')
                    new_event_block.call(anotherone)
                    "
    }
}

Ruby's pretty new to me though, so if there's any good reason not to do it like this, some feedback would be much appreciated.

regards,
Jonas

system · April 20, 2018, 1:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.