Multiplication in logstash grok filter

Preeti_Sharma · September 6, 2016, 11:01am

I have following filter

filter {
  if [type] == "apache-access" {
    grok {
      match => { "message" => "%{APACHE}" }

        add_field => {
      "tym1" => "%{microseconds} * 0.000001"
                            }
}
}
}

Pattern is definded as

APACHE %{COMBINEDAPACHELOG} **%{NUMBER:seconds:int}/%{NUMBER:microseconds:int}

Its returning as

234566*0.000001

in Kibana instead of

0.234566

magnusbaeck · September 6, 2016, 11:10am

You need to use a ruby filter to perform the multiplication.

ruby {
  code => "event['tym1'] = event['microseconds'].to_i * 0.000001"
}

Preeti_Sharma · September 6, 2016, 11:13am

Do I need to keep this in gork or if[type=apache] ?

magnusbaeck · September 6, 2016, 11:17am

It assumes that there is a microseconds field so you may want to wrap it in a if [microseconds] { ... } conditional. Whether it's inside the [type] == "apache" conditional is up to you.

Preeti_Sharma · September 6, 2016, 11:31am

Thanks Magnus.

Topic		Replies	Views
Subtracting two values of a field Logstash	5	659	July 14, 2022
Math function in Logstash Logstash	3	894	October 14, 2017
COMBINEDAPACHELOG did not add any matched fileds? Logstash	6	6954	December 20, 2016
Doing mathematical ops using logstash filters Logstash	2	2614	July 6, 2017
Divide two fields and store in a new field to be visualized in Kibana Logstash	3	2710	December 28, 2016

Multiplication in logstash grok filter

Related topics