Two questions. Can I set condition with elapesd_time? And according to logdatetime get right day of week?

zxc654951 · May 23, 2018, 6:57am

I can use elapsed filter to create elapesd_time. Now, I want to create a alert like "V" or "X" if elapsed_time over 0.01 or not. Can I do that?
And I want to get right day of week with %{+E}, but it will reply with execute day.

1:
filter{
date{
match=>["LogDateTime", "yyyy-MM-dd HH:mm:ss.SSSSSS"]
target=>"NewLogDateTime"
}
mutate{
add_field=>{"ActionState"=>" "}
add_field=>{"DayOfWeek"=>"%{+E}"}
}
if [Message]=="S"{
mutate{
copy=>{"Message" => "ActionState"}
add_tag=>["p_start"]
}
}
else if [Message]=="E"{
mutate{
copy=>{"Message" => "ActionState"}
add_tag=>["p_end"]
}
}
elapsed{
start_tag=>"p_start"
end_tag=>"p_end"
unique_id_field=>"TransactionID"
}
}

2:
filter{
date{
match=>["LogDateTime", "yyyy-MM-dd HH:mm:ss.SSSSSS"]
target=>"NewLogDateTime"
}
mutate{
add_field=>{"ActionState"=>" "}
add_field=>{"alert_time"=>" "}
add_field=>{"DayOfWeek"=>"%{+E}"}
}
if [Message]=="S"{
mutate{
copy=>{"Message" => "ActionState"}
add_tag=>["p_start"]
}
}
else if [Message]=="E"{
mutate{
copy=>{"Message" => "ActionState"}
add_tag=>["p_end"]
}
}
elapsed{
start_tag=>"p_start"
end_tag=>"p_end"
unique_id_field=>"TransactionID"
}
if [elapsed_time]>=0.01{
mutate{
join=>{"alert_time"=>"X"}
}
else if [elapsed_time]<0.01{
mutate{
join=>{"alert_time"=>"V"}
}
}

Above two filter all "Configuration OK", but the 2 filter is going wrong like below：
[ERROR] 2018-05-23 14:52:15.984 [[main]>worker3] pipeline - Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {:pipeline_id=>"main", "exception"=>"undefined method >=' for nil:NilClass", "backtrace"=>["(eval):364:inblock in initialize'", "org/jruby/RubyArray.java:1734:in each'", "(eval):362:inblock in initialize'", "(eval):212:in block in filter_func'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:501:infilter_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:477:in worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:439:inblock in start_workers'"], :thread=>"#<Thread:0x28a2ac73@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:290 sleep>"}

Can someone teach me?

Badger · May 23, 2018, 4:34pm

You are missing a } before the final else of filter 2 and also at the end.

zxc654951 · May 24, 2018, 1:55am

Thanks for your answer. I add missing } to filter coding, but still show error like below:

[ERROR] 2018-05-24 09:47:44.529 [[main]>worker2] pipeline - Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {:pipeline_id=>"main", "exception"=>"undefined method >=' for nil:NilClass", "backtrace"=>["(eval):1999:inblock in initialize'", "org/jruby/RubyArray.java:1734:in each'", "(eval):1997:inblock in initialize'", "(eval):920:in block in filter_func'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:501:infilter_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:477:in worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:439:inblock in start_workers'"], :thread=>"#<Thread:0x5607448a@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:290 sleep>"}

I try restart logstash, and it reply same error. Did it not get the `>=' function? My reference is https://www.elastic.co/guide/en/logstash/6.0/event-dependent-configuration.html. Did I write wrong code?

system · June 21, 2018, 1:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.