Logstash Syntax :: Add a new field... which is the product of other fields?

Hello Lords of Logstash,

In my data, I need to add a new field that multiplies the integer values of two other fields and a constant. In other words, if I have this:

FieldA    FieldB
  1         5
  2         4
  3         9

And I want to do this in my filter{ } section:

  mutate {
    add_field => { "[FieldC]" => "%{[FieldA]} * %{[FieldB]} * 5" }
    convert => { “FieldC” => “integer” }

To get this:

FieldA    FieldB    FieldC
  1         5       25
  2         4       40
  3         9       135

But the above mutate{} statement treats FieldC as a string and gives me this:

FieldA    FieldB    FieldC
  1         5       “1 * 5 * 5”
  2         4       “2 * 4 * 5”
  3         9       “3 * 9 * 5”

Which is obviously not what I want. And if I remove the double quotes in my add_field statement, Logstash promptly crashes.

Any idea how to fix this syntax? Thanks!

Use a ruby filter. I haven't tested this but it would be something like

ruby {  code => 'event.set("FieldC", event.get("FieldA").to_i * event.get("FieldB").to_i * 5)' }

Obviously that will implode with errors about not being a * operator for NilClass if either FieldA or FieldB are missing, so you might need to test that they exist.

Yes! Badger, you are absolutely on the money. It took me a little time to understand the syntax, but your solution worked perfectly.

To anyone who may be following this post:

I initially thought that this syntax didn't work, because the value of "FieldC" was turning out to be 0 every time. But when I did some troubleshooting, I realized I misspelled "FieldA" in my command:

ruby { code => 'event.set("FieldC", event.get("FeildA").to_i * event.get("FieldB").to_i * 5)' }

When Logstash goes to look for event.get("FeildA"), this returns a NULL because the field doesn't exist. the to_i function converts NULL to 0, thus throwing off the rest of the math. Once I fixed my spelling mistake, everything else worked.

Thanks Badger!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.