Sprintf +FORMAT Field Reference

josh_jacques · June 4, 2019, 4:15pm

Under the sprintf section of Accessing Event Data and Fields in the Configuration in the logstash reference. There is mention of being able to use a +FORMAT to format the @timestamp..in their example they mention using it for outputting logs to a file based on the events date and hour.
https://www.elastic.co/guide/en/logstash/7.1/event-dependent-configuration.html#sprintf

Lets take for instance, the following config...

input {
  stdin { }
}

filter {
  mutate {
    add_field => {
      "[date_pattern]" => "+YYYY.MM"
    }
  }

  mutate {
    add_field => {
      "[year_month]" => "%{[date_pattern]}"
      "[year_month2]" => "%{+YYYY.MM}"
    }
  }
}

output {
  stdout {
    codec => rubydebug
  }
}

Followed by the results...

{
      "year_month" => "+YYYY.MM",
     "year_month2" => "2019.06",
      "@timestamp" => 2019-06-04T16:11:38.858Z,
    "date_pattern" => "+YYYY.MM",
        "@version" => "1",
            "host" => "test.server.com",
         "message" => ""
}

I was hoping that year_month would have expanded date_pattern and would yield the same result as year_month2.

Thoughts?

Is there a way to achieve this?

Badger · June 4, 2019, 5:36pm

I don't think so. If I am reading the code correctly it is either/or (well, if/else to be literal).

josh_jacques · June 4, 2019, 8:46pm

@Badger
Thank you for the reply, it's much appreciated. I am certainly no programmer/developer, so much of that code looks very confusing to me.

For what it's worth, I was initially trying to use the translate filter, with those different date formats, but knowing it's not possible to perform the action as I had hoped, I went the route of using some if statements.

Thanks again.

system · July 2, 2019, 8:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.