Wrong ruby code

ssasporta · October 11, 2017, 12:47pm

ruby {
                      # isolate the server name from the "source" field
                      # adding the field 'inputserver'
                      code => 'event.set("inputserver", event.get("source.split('/', -1)[4]"))'
                }

My logstash failing during initialization.

What is wrong with my ruby deceleration?

I am trying to split the source filed, which contains a 'path' , get the fourth parameter in the array, and put it in new field named inputserver.

The error in the logstash log is:

#event.set("inputserver", event.get("source").downcase)\n code => 'servername=@source.split('", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:50:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:145:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:286:in create_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:95:inregister_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:274:in execute'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67:inrun'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:185:in run'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132:inrun'", "/usr/share/logstash/lib/bootstrap/environment.rb:71:in `(root)'"]}
[2017-10-11T15:33:06,102][DEBUG][logstash.agent ] starting agent

Thanks
Sharon.

paz · October 11, 2017, 12:56pm

The error is because of wrong enclosing quotes. The first single quote in split actually terminates the whole code in the parser since it also opens with a single quote. To be safe, either use double quotes for the whole code block enclosure and single quotes inside the code or vice-versa.

Also:

Your function chaining is wrong, you should think of the whole event.get('fieldname') as a single variable (so the split function should be applied to it instead of the fieldname inside the get).
The -1 part in the split is not needed for the desired result you describe, and the index should be 3 instead of 4 since index starts at 0.

The correct syntax would be

ruby {
    # isolate the server name from the "source" field
    # adding the field 'inputserver'
    code => "event.set('inputserver', event.get('source').split('/')[3])"
}

system · November 8, 2017, 12:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.