Setter value in logstash

Hi, I try to retrieve one key in my message,

if this key existe not add, else add key.

I try this code :

ruby {
code => '
size = event.get("262")
tata= event.get("50")
if event.get("50").nil?
event.set("size", size)
end

            '
    }

It is working, but I don't have value in field. I have nil .

Please I need helps.

Thanks.

Hi,

I think you can use if statement like this:

if ![50]{
    mutate{
        add_field => {"size" => %{262}}
    }    
}

Hi shin-higuchi,

Thanks for your reply.

It does not work. It is not a field but a key in the message.

So, which format is your original input log?
JSON? CSV? Plain text?...
Could you paste sample here?

ok, my original input is :

2017-05-22 13:50:00.000 INFO names1 - X < 8=fac|9=154|35=V|34=9||50=Good|262=lsrx5248|263=0|264=0|265=0|146=1|269=0|269=1|10=014
2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213
2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213
2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213
2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213

2017-05-22 14:50:00.000 INFO names2 - X < 8=fac|9=154|35=V|34=9||50=BAD|262=lsyx48|263=0|264=0|265=0|146=1|269=0|269=1|10=014
2019-05-22 14:50:08.000 INFO names2 - Q > 8=fac|9=5|262=lsyx48|0=214
2019-05-22 14:50:08.000 INFO names2 - Q > 8=fac|9=5|262=lsyx48|0=214
2019-05-22 14:50:08.000 INFO names2 - Q > 8=fac|9=5|262=lsyx48|0=214
2019-05-22 14:50:08.000 INFO names2 - Q > 8=fac|9=5|262=lsyx48|0=214

filter {
grok {
match => ["messages","(?%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}.[0-9]{3}) %{WORD:loglevel} %{WORD:A} - %{WORD:B} (.)(<|>) %{GREEDYDATA:C }"]

}

if "_grokparsefailure" in [tags] {
drop {}
}

 kv {
  source =>"C"
  field_split=>"|"
  value_split => "="
  	                                    
  }

mutate {

 remove_field => ["path","@version","version","message","type","host","loglevel"]
       	 
		
  rename => {  
               "50" =>"Who"
               "262" =>"id"
               ....
			   }
 add_field => { "message_out" => "%{date},%{A},%{B},%{C}" }
 }
 }

output {

    elasticsearch {
hosts => "xx.xx.xx.xx:9200"
index => "tata-%{+YYYY.MM.dd}"
       }

Now :

if you notice, x send you a type 50 and an id 262.
And Q answers on 262 and in Q, we do not have 50.
Basically they communicate on id 262.
So the goal is whenever X sends a type and an id, Q also responds to him with the id and the type that goes with it. .

Basically, I want to retrieve 50 and 262 for each message in Q.

Thanks for you help.

Thank you MamBarry.

Actually I don't understand this point

It is not a field but a key in the message.

If you use kv filter, keys in your original message (ex. "50", "262") should be parsed as fields .

I guess my first code should work in this case.

Thanks.

ok, my source is C, then I split this C in KV, after finish that, I have 50 et other key.

examples 1 in this type messages : X < 8=fac|9=154|35=V|34=9||50=Good|262=lsrx5248|263=0|264=0|265=0|146=1|269=0|269=1|10
output : 50 and 262.
example 2 in this type messages : 2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213
output : juste 262.

Basically, I want for each messages retrieved 50 and 262.

sorry I'm not better in english.

I want to get the 50 that corresponds to the id 262 for each messages.

Today, I have this :
input : X < 8=fac|9=154|35=V|34=9|50=Good|262=lsrx5248|263=0|264=0|265=0|146=1|269=0|269=1|10

Output :
2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213
2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213

** want to get this answer**

input : X < 8=fac|9=154|35=V|34=9|50=Good|262=lsrx5248|263=0|264=0|265=0|146=1|269=0|269=1|10

output : 2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213|50=Good

2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213|50=Good

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.