Ruby filter used for reading modified time of file

CDR · July 21, 2017, 3:04pm

Hello community,

I am currently trying to use the ruby filter to get the modified time of the file I am reading. I want to store the modified time in mtime. This is my first time using ruby so I am sort of lost. Here is my code:

if [type] == "test" {
	ruby {
		code => 'event.set("modified_time", File.mtime("path"))'
	}
}

It gives me an error of:

Ruby exception occurred: No such file or directory - path

In elasticsearch the 'path' is:

C:/ELK-Stack_windows/user_files/data/multiline/file.prn

Unsure as to why it is giving me this error since the file exists in that location.

Thanks!

paz · July 24, 2017, 10:38am

The error is because you cannot directly reference event values (much like you can't assign a value and you have to use a .set method, as you already do). This should work

if [type] == "test" {
	ruby {
		code => 'event.set("modified_time", File.mtime(event.get("path")))'
	}
}

system · August 21, 2017, 10:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.