Using Ruby to count the number of fields in a message, then apply CSV depending on the count?

sdberts · April 22, 2019, 4:26pm

I have logs coming from dozens of servers, and two different appliance versions, both of which are in comma-separated format.

In one version, there are 73 fields; in the other, there are 93 fields. I need to be able to count the number of fields in each message, then apply the CSV filter+column names depending on the count. My thinking would be to split the message by commas, then counting the fields.

How would this be accomplished using Ruby? Something like this:

filter {
ruby {
#Pseudo code
code => "if count of event.['message'].split(",") == 73: apply these column names;
else if count of event.['message'].split(",") == 93: apply these column names"
}
}

Badger · April 22, 2019, 4:48pm

You can count the fields using ruby

ruby { code => 'event.set("[@metadata][fields]", 1 + event.get("message").count(","))' }
if [@metadata][fields] == 73 {
     csv { ... }
} else {
     csv { ... }
}

system · May 20, 2019, 4:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Get the field count of a csv file Logstash	2	1016	April 13, 2018
Splitting a column in a csv Logstash	8	1356	February 21, 2017
How to check column quantity in a filter? Logstash	3	302	May 3, 2018
Count the number of rows(lines) in a CSV file Logstash	1	741	July 16, 2020
Logstash csv - Filters only rows with specific column count Logstash	2	950	January 30, 2020

Using Ruby to count the number of fields in a message, then apply CSV depending on the count?

Related topics