Ruby filter in Logstash, how to pass parameters to external Ruby script

Heckler_GlobalOperat · February 18, 2018, 4:12am

Hi everyone,
I'm preparing a Logstash configuration which use Grok to extract fields from incoming messages and Ruby to process those fields.

Below is a simple version of my configuration, I want to extract the Timestamp and Server values from the incoming messages, then pass those parameters to a Ruby script (named ruby_process.rb) via "script_params"

grok {
match => [ "message", "%{TIMESTAMP_ISO8601:timestamp}, %{WORD:server} %{WORD:state}" ]
}

ruby {
path => "E:\logstash-6.1.2\config\scripts\ruby_process.rb"
script_params => {

"server" => "event.get('server')"

"timestamp" => "event.get('timestamp')"
}
}

In ruby_process.rb, I read the Server and Timestamp params into Ruby variables

def register(params)
@server = params["server"]
@epoc = params["timestamp"]
end

But it just doesn't work, the value of @server is the literal string "event.get('server')", not the value itself. I have looked around the Google but found no example for this usecase

magnusbaeck · February 18, 2018, 2:12pm

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#sprintf

However, what you're trying to do doesn't make sense. The script parameters are passed to the ruby filter's register function (as you've noticed) but that code is run when the pipeline starts up. At that point there is no event context so you can't possibly pass field values from an event.

If you really want to access field values in your ruby filter you can just access them via the event object straight in your code.

Heckler_GlobalOperat · February 19, 2018, 3:09pm

Thank you, I forgot that I can access the fields in the Filter method in Ruby script

system · March 19, 2018, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.