Getting Error:
[2023-02-02T19:25:48,535][ERROR][logstash.filters.ruby ][main][b7126651d97050c2a450765cb1ad946624dc0b4a1ea72baecc762eb17b892bdd] Ruby exception occurred: undefined method each' for #<String:0xa01d55c> {:class=>"NoMethodError", :backtrace=>["(ruby filter code):5:in
block in filter_method'", "/opt/logstash/logstash-7.16.2/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.7/lib/logstash/filters/ruby.rb:93:in inline_script'", "/opt/logstash/logstash-7.16.2/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.7/lib/logstash/filters/ruby.rb:86:in
filter'", "/opt/logstash/logstash-7.16.2/logstash-core/lib/logstash/filters/base.rb:159:in do_filter'", "/opt/logstash/logstash-7.16.2/logstash-core/lib/logstash/filters/base.rb:178:in
block in multi_filter'", "org/jruby/RubyArray.java:1821:in each'", "/opt/logstash/logstash-7.16.2/logstash-core/lib/logstash/filters/base.rb:175:in
multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in multi_filter'", "/opt/logstash/logstash-7.16.2/logstash-core/lib/logstash/java_pipeline.rb:299:in
block in start_workers'"]}
sample JSONMessage:
2023-02-02T16:21:34.352-06:00 [INFO] {"APP_LOGS":{"Header":{"ApplicationID":"ABC","ServiceName":"INFO","ComponentName":"EventingLog.process","Hostname":"hostname123","Timestamp":"2023-02-02T22:21:34.352Z","TransactionDomain":"ABC","TransactionType":"Eventing","TransactionID":"Customer::123_456","BusinessID":"Customer::123_456","ApplicationDomain":"SyncUp","BusinessID2":"NA"},"Category":"Eventing","Status":"InfoLog","TransactionBefore":"Customer Doc created/updated in Target Bucket. Additional Channels retained from existing Customer target Doc. ,Tax attrbt updated from source TaxRateDoc to target Customer document with ID: Customer::123_456","TransactionAfter":"Issue is creating eventing process","LogLevel":"1"}}
Code:
filter {
grok {
tag_on_failure => ["_notAPP"]
match => ["message", "%{TIMESTAMP_ISO8601:logTimestamp} %{SYSLOG5424SD:logLevel} %{GREEDYDATA:logJSONMessage}" ]
}
json {
tag_on_failure => ["_notAPP"]
source => "logJSONMessage"
target => "jsonMessage"
}
ruby {
tag_on_exception => "_notAPP"
code => '
jsonObj = event.get("jsonMessage")
return if jsonObj.nil?
jsonObj.each { |k, v|
event.set("logType",k)
event.set("logMessage",v)
event.set("elkMessage",event.get("logType")=="APP_LOGS"?v["TransactionBefore"]:v["TransactionData"])
event.set("afterTransaction", event.get("logType")=="APP_LOGS"?v["TransactionAfter"]:v["DumpAnalysis"])
event.set("transactionId", v["Header"]["TransactionID"])
}
event.remove("doc")
'
}
uuid {
target => "uuid"
}
mutate {
add_field => {
"[key][id]" => "%{uuid}"
"[key][application]" => "ABC"
"[key][table]" => ""
}
}
mutate {
rename => { "[logJSONMessage]" => "[@metadata][logJSONMessage]" }
rename => { "[logMessage]" => "[@metadata][logMessage]" }
rename => { "[logLevel]" => "[@metadata][logLevel]" }
rename => { "[logTimestamp]" => "[@metadata][logTimestamp]" }
rename => { "[jsonMessage]" => "[@metadata][jsonMessage]" }
rename => { "[logType]" => "[@metadata][logType]" }
rename => { "[host]" => "[@metadata][host]" }
rename => { "[message]" => "[@metadata][message]" }
rename => { "[key]" => "[@metadata][key]" }
rename => { "[type]" => "[@metadata][type]"}
add_field => {"message" => "%{transactionId}-%{elkMessage}-%{afterTransaction}"}
remove_field => [ "uuid" , "transactionId" ,"elkMessage" ,"afterTransaction"]
}
if "_notAPP" in [tags] {
mutate {
remove_tag => ["_notAPP"]
replace => { "message" => "%{[@metadata][message]}"}
}
}
}
Can someone please help on what is wrong here ?