Need to split a field and use part of it in conditionals

vikas1590 · October 5, 2017, 9:18pm

I have an event with fields like:

"description" => "The description_53",
"network" => "network_b",
"duration" => 600,
"start_time" => "1493596800",
"node" => "node_b",
"device" => "device_53"

This event is posted as JSON to Logstash using the http input plugin.
The output is stdout with rubydebug codec.

This is what I am trying to achieve:
If the device number in the [device] field is less than 33(device_32, device_26 etc), I want to add a field "set" with value "set1".
Else, I want to add "set" with value "set2".
In either case, I want to add a field "rule_matched" with value 'device number'.
So in the above example, I want to add "set":"set2", "rule_matched":"53"

The challenge is I am not understanding how to get the number from the [device] field and use it in conditionals and to set the rule_matched value.

Any help is appreciated.

warkolm · October 5, 2017, 11:33pm

You could do a grok on that device field, where the pattern is device_%{NUMBER:id} and then use that field.

vikas1590 · October 6, 2017, 8:11pm

Thanks for your response @warkolm. Appreciate it.

But I found out another way to tackle it soon after I have posted the question.

filter {
    mutate {
        add_field => {"[@metadata][device_num]" => "%{device}"}
    }
    mutate {
        gsub => ["[@metadata][device_num]", "device_",""]
    }
    mutate {
        add_field => {"rule_matched" => "%{[@metadata][device_num]}"}
    }
    mutate {
        convert => {"rule_matched" => "integer"}
    }
.
.  some conditionals using the rule matched field
.
}

However, I realized after posting the question that I do not want to keep the rule_matched field in the final output. That is the reason I tried to use the @metadata field. But the problem is that Logstash crashes everytime I try to convert [@metadata][device_num] to an integer. This introduces an extra step of deleting the rule_matched field manually after it has been used in conditionals.

Is there a reason for this behavior or is it a bug?

Oh and also, I would like to know, from a standards point of view, is it better to use grok for this use case or is my method (well, not mine) good enough?

warkolm · October 6, 2017, 8:42pm

I haven't seen that crash, but perhaps if you provide more info we can debug it.

Gsub can be expensive if used a lot.

system · November 3, 2017, 8:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.