Read actual and previous line using plugin file in Logstash

dooger21 · December 29, 2020, 7:56pm

Hello everyone,

I need to read a log in tail mode and for each record read in real time to also obtain the previous record. That is, whatever you read the row (11) that has the date 20200607-00:10:00 also get the previous row (10) that has the date 20200607-00:09:00.

The objective of structuring my index like this is to create a visualization that allows me to compare the current value of my COL1 with the previous value (Ex: current 87, previous 7) if both values are greater than 10 that an alert is painted (timeseries annotations - visual builder)

Log:
Captura

Badger · December 29, 2020, 10:59pm

I would do that using a ruby filter:

ruby {
    code => '
        @previousMessage ||= ""
        event.set("previousMessage", @previousMessage)
        @previousMessage = event.get("message")
    '
}

You must set pipeline.workers to 1 for this to work, and make sure pipeline.ordered has the value you want (true) (or auto in 7.x but not 8.x).

dooger21 · December 30, 2020, 4:36pm

It works perfectly. I use the default logstash configuration, do not change any configuration files. Thank you @Badger

system · January 27, 2021, 4:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.