I would like to somehow create new event with Logstash Ruby filter but actually with no success. I tried a lot of versions and syntaxes, searched for many online topics and documentations and the result is the same.
For example one code snippet for this purpose:
I did not get any errors with this one, finally syslog shows the new event with "cpu_test_load", "@timestamp" and "@version" fields but Kibana does not show it within the destination index pattern. What do I wrong? Could anybody help with this problem?
I have never had any success creating new events with the code option of a ruby filter. All the posts that explain how to do it appear to discuss techniques that are no longer valid.
However, you can definitely create new events if you use the path option to a ruby filter, since that has to return an array of events.
Thank you. Maybe i will try it but my opinion is that it should work this way as well. Syslog shows the created new event with minimal field list, it seems that only Kibana drops it. Why? I think there is only one small setting related or any other problem which cause the situation.
First, it is necessary to build such structure (array of hashes via Ruby filter) from what we want to create new events - for each hash object it is important to place an index value, otherwise we will get Elasticsearch indexing errors after Logstash restart. When the structure is completed, this array should be inserted into existing event via event.set. That's all for Ruby filter.
After then we need to apply split filter on existing event and within field attribute, define previous array of hash objects. Logstash will make as many events as array elements has.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
I think there is only one small setting related or any other problem which cause the situation.