I have following filter
filter {
if [type] == "apache-access" {
grok {
match => { "message" => "%{APACHE}" }
add_field => {
"tym1" => "%{microseconds} * 0.000001"
}
}
}
}
Pattern is definded as
APACHE %{COMBINEDAPACHELOG} **%{NUMBER:seconds:int}/%{NUMBER:microseconds:int}
Its returning as
234566*0.000001
in Kibana instead of
0.234566
You need to use a ruby filter to perform the multiplication.
ruby {
code => "event['tym1'] = event['microseconds'].to_i * 0.000001"
}
Do I need to keep this in gork or if[type=apache] ?
It assumes that there is a microseconds field so you may want to wrap it in a if [microseconds] { ... } conditional. Whether it's inside the [type] == "apache" conditional is up to you.
Thanks Magnus.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.