Ruby exception occurred: undefined method `[]' for #<LogStash

sujeetjha · November 20, 2020, 2:31pm

filter {
  ## Ignore the comments that IIS will add to the start of the W3C logs
  #
  if [message] =~ "^#" {
    drop {}
  }

  grok {
    ## Very helpful site for building these statements:
    #   http://grokdebug.herokuapp.com/
    #
    # This is configured to parse out every field of IIS's W3C format when
    #   every field is included in the logs
    #
    match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{WORD:serverName} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"]
  }

  ## Set the Event Timestamp from the log
  #
  date {
    match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
      timezone => "Etc/UTC"
  }

  ## If the log record has a value for 'bytes sent', then add a new field
  #   to the event that converts it to kilobytes
  #
  if [bytesSent] {
    ruby {
      code => "event['kilobytesSent'] = event['bytesSent'].to_i / 1024.0"
    }
  }

   ## Do the same conversion for the bytes received value
  #
  if [bytesReceived] {
    ruby {
      code => "event['kilobytesReceived'] = event['bytesReceived'].to_i / 1024.0"
    }
  }

  ## Perform some mutations on the records to prep them for Elastic
  #
  mutate {
    ## Convert some fields from strings to integers
    #
    convert => ["bytesSent", "integer"]
    convert => ["bytesReceived", "integer"]
    convert => ["timetaken", "integer"]

    ## Create a new field for the reverse DNS lookup below
    #
    add_field => { "clientHostname" => "%{clientIP}" }

    ## Finally remove the original log_timestamp field since the event will
    #   have the proper date on it
    #
    remove_field => [ "log_timestamp"]
  }


  ## Do a reverse lookup on the client IP to get their hostname.
  #
  dns {
    ## Now that we've copied the clientIP into a new field we can
    #   simply replace it here using a reverse lookup
    #
    action => "replace"
    reverse => ["clientHostname"]
  }
  ## Parse out the user agent
  #
    # useragent {
    #     source=> "useragent"
    #     prefix=> "browser"
    # }
}

it is throwing this error
logstash[461058]: [2020-11-20T14:29:30,030][ERROR][logstash.filters.ruby ][main][ed59ff646c4dc5fde49deb2fa3b07b26c88196d3d8747e51fd494ccd70dd14bf] Ruby exception occurred: undefined method `' for #LogStash::Event:0x2e351871

Badger · November 20, 2020, 2:34pm

Support for directly referencing fields in the event this way was removed a few years ago. Use event.get and event.set from the event API.

sujeetjha · November 21, 2020, 6:37am

I am new to it can you plz elaborate? how can I fix this?

Badger · November 21, 2020, 2:02pm

The documentation I linked to includes explanation and examples of both how to get fields from an event and how to set fields on an event. I cannot provide any better explanation.

system · December 19, 2020, 2:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.