Ruby filter usage to divide value and create new events

Hello,

I have the following event:

             "message" => "2017-01-02 08:00;2017-01-02 09:00;30;Item1, Item2, Item3",
            "@version" => "1",
          "@timestamp" => "2017-01-02T08:00:00.000Z",
                "host" => "xxx",
                "type" => "aaa",
               "stopt" => "2017-01-02 09:00",
                "time" => 24,
               "items" => "Item1, Item2, Item3",

and based on that I would like to:
1.Create new, separate event for every item on items list
2.Divide the time value by the total number of items (e.g. we have 24 and 3 items total - so every new event should have "time" => 8)
3.Delete the original event

so the first new event should look like below:

"message" => "2017-01-02 08:00;2017-01-02 09:00;30;Item1",
            "@version" => "1",
          "@timestamp" => "2017-01-02T08:00:00.000Z",
                "host" => "xxx",
                "type" => "aaa",
               "stopt" => "2017-01-02 09:00",
                "time" => 8,
               "items" => "Item1",
                "tags" => [

I'm not able to achive this using the built-in Logstash filters so ruby() is the only solution. Can you help me with that?

Thanks in advance
PaVliK

You can use the mutate filter's split option to turn the items string into an array. After that the following ruby filter (for Logstash 2.4+) should take care of the division:

ruby {
  code => "event.set('time', event.get('time') / event.get('items').length) unless event.get('time').nil?"
}

Finally, use the clone filter on the items field to split the original event in multiple copies.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.