I have this pipeline that's a bit convoluted and wanted to know if this will work. The intent is, if old.new_duration exists and, for example, has a value of 10, instead of it being replaced, it gets added to the value of duration.epoch with the sum of those two values going back into the field old.new_duration.
if [old][new_duration] {
if [old][state] == "new" {
ruby {
code => 'event.set("[old][new_duration]", event.get("[old][new_duration").to_i + event.get("[duration][epoch]").to_i)'
}
} else {
mutate {
add_field => {
"state_new_duration" => "%{[old][new_duration]}"
}
}
}
}
I can see this happening in one of two ways, the way I'm hoping:
Field values before ruby
old.new_duration: 10
duration.epoch: 5
Ruby code executed, field values after ruby
old.new_duration: 15
or, the event.set command immediately creates a new field, overwriting any existing before executing the math op:
Field values before ruby
old.new_duration: 10
duration.epoch: 5
Ruby code executed, field values after ruby
old.new_duration: 5