Problem with combining xmlfilter and ruby code to compute a time difference

Franco · August 20, 2019, 12:16pm

Hi all,

I have an xml log which looks like this:

  <xml-request id='199263291' request='0x0x7f153c000e20' rsp='0' HTTP-rsp='0' session='28' bytesSent='1063' status='ended' created='2019-08-20T04:23:08.984+02:00' ended='2019-08-20T04:23:08.985+02:00'>
   <method>POST</method>
   <uri>/Zuschreibung/</uri>
   <remote_addr>10.49.9.50</remote_addr>
</xml-request>

I use an xmlfilter like this

  xml {
    source => "message"
    target => "xmldata"
    store_xml => false
    force_array => false
    xpath => [ "/xml-request/uri/text()", "uri" ]
    xpath => [ "/xml-request/@created", "req_created" ]
    xpath => [ "/xml-request/@ended", "req_ended" ]
  }

Since I'm interested in the time difference (between req_ended minus req_created) I add a ruby code part with DateTime parsing.
Due to some strange error messages with something like "RubyNil" I checked the req_ended and req_created field for nil before computing

  ruby {
      code => "

           @@duration = 0.0
           @@ended = event.get('[req_ended]')
           @@created = event.get('[req_created]')
           if (!@@ended.nil? and !@@created.nil?)
           then
               @@duration= (((DateTime.strptime(@@ended, '%Y-%m-%dT%H:%M:%S.%L%z')) - (DateTime.strptime(@@created, '%Y-%m-%dT%H:%M:%S.%L%z'))) * 86400).to_f
           end
           event.set('req_duration_sec',@@duration)
        "
  }

When testing my logstash config with reading the xml logs from a prepared file, the time computing seems ok.
When the xml is delivered from a filebeat, I got a lot of strange time values like

req_duration_sec 25,352.693

from such a line (which should have 0.001 sec as duration)

<xml-request id='199435077' request='0x0x7f0fe80008c0' rsp='0' HTTP-rsp='0' session='16' bytesSent='475' status='ended' created='2019-08-20T11:32:57.333+02:00' ended='2019-08-20T11:32:57.334+02:00'>

Or even neagtive ones

req_duration_sec -36,157.805

from
<xml-request id='199434849' request='0x0x7f1534000a30' rsp='0' HTTP-rsp='0' session='26' bytesSent='6384' status='ended' created='2019-08-20T11:32:56.132+02:00' ended='2019-08-20T11:32:56.132+02:00'>

Can anyone see what I'm doing wrong?

Best regards
Franco

Badger · August 20, 2019, 12:55pm

There is no reason to use class or even instance variables here. You can use local variables. In fact, that might be the problem. If a message is missing one of req_created or req_ended it will use the value from the previous message. Personally I would use a date filter to parse the timestamps.

    date { match => [ "req_created", "ISO8601" ] target => "req_created" }
    date { match => [ "req_ended", "ISO8601" ] target => "req_ended" }
    ruby {
        code => '
            duration = 0.0
            ended = event.get("req_ended")
            created = event.get("req_created")
            if created and ended then
                duration = ended.to_f - created.to_f
            end
            event.set("req_duration_sec", duration)
        '
    }

Franco · August 20, 2019, 1:24pm

Tnx Badger,
your advice helped me perfectly. No more negative or huge positives.

So lucky.

system · September 17, 2019, 1:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Get Difference between two date field with ruby filter Logstash	2	6925	September 13, 2017
Problem with xml filter Logstash	12	4022	May 2, 2017
Time difference between two fields in a csv using ruby plugin Logstash	3	2616	March 30, 2018
Calculate the time difference between 2 xml log lines Logstash	5	326	May 26, 2021
Time Diff Calculation in ruby not working Logstash	2	391	March 10, 2019

Problem with combining xmlfilter and ruby code to compute a time difference

Related topics