Ruby filter plugin does not read new field values

priyaankaa · September 4, 2021, 1:20pm

How to get correct value of the field inside ruby code in logstash pipeline?
sample 1:

input { 
    elasticsearch {
		hosts 				=> "http://localhost:9200"
		index 				=> "test1"
	}
}
filter {
	mutate {
		add_field 			=> { "yearsdiff" => "10" }
		add_field			=> { "timestampdiff1" => "" }
	}
	ruby {
		code => '
			event.set("[timestampdiff1]", event.get("[yearsdiff]"));
		'
	}
}
output {
	elasticsearch {
		hosts => "http://localhost:9200/"
		index => "test1"
		action => "update"
		document_id => "%{docid}"
		doc_as_upsert => true
	}
}

Output :
"timestampdiff1" : 0

sample 2:
Same as above. Only used add_field inside ruby instead of mutate.
Output:
"timestampdiff1" : null

Expected output:
"timestampdiff1" : 10

aaron-nimocks · September 4, 2021, 2:14pm

Where are you planning on getting yearsdiff value from? Or is it always 10?

priyaankaa · September 4, 2021, 2:31pm

@aaron-nimocks ,
Yes, its always 10.
Actually I want to calculate ( currentYear - yearsDiff ) in timestampdiff1 field but I always get 2021.

aaron-nimocks · September 4, 2021, 3:12pm

If I read correctly and your goal is to get current year and subtract 10 then this how I would do it.

ruby {
 code => '
  event.set("year_diff", ((Time.now().to_s[0..3]).to_i) - 10)
 '      
}

This takes the current system time -> transforms to a string -> using substring function extract the first 4 characters which is the year -> convert back to an integer so you can do math functions -> subtract 10 -> save in new field called year_diff.

Not sure if this is the most efficient but that's just the first solution I thought of.

Badger · September 4, 2021, 5:14pm

I answered a closely related question from the same poster here.

priyaankaa · September 4, 2021, 5:41pm

@Badger , actually this question is different. I am still not able to access add_field values inside ruby code. Please suggest a way.

Badger · September 4, 2021, 6:31pm

The configuration

input { generator { count => 1 lines => [ '' ] } }
filter {
    mutate {
        add_field           => { "yearsdiff" => "10" }
        add_field           => { "timestampdiff1" => "" }
    }
    ruby { code => ' event.set("[timestampdiff1]", event.get("[yearsdiff]")) ' }
}
output { stdout { codec => rubydebug { metadata => false } } }

produces

     "yearsdiff" => "10",
       "message" => "",
"timestampdiff1" => "10"

priyaankaa · September 5, 2021, 7:11am

I dont know why but in my case exact same code is giving output as "timestampdiff1" : "0".
I am using ELK 7.12. Is this bug ?

Badger · September 5, 2021, 2:22pm

I cannot think of any reason why that would happen.

system · October 3, 2021, 2:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Get current time using ruby filter in logstash Logstash	9	7854	July 18, 2017
Calculating new fields using ruby filter Logstash	3	1406	July 13, 2020
Is @timestamp get value automatically from field timestamp? Logstash	5	271	November 7, 2023
Access to nested fields' values in logstash Logstash	3	77	July 11, 2024
Field reference in ruby filter Logstash	2	906	September 15, 2017

Ruby filter plugin does not read new field values

Related topics