I have a column like this:
business_time_left
3 Hours 24 Minutes
59 Minutes
4 Days 23 Hours 58 Minutes
0 Seconds
1 Hour
and so on..
What I want to do in Logstash is to convert this entirely into hours.
So mu value should entirety convert to something like
business_time_left
3.24
0.59
119.58
0
1
Is this possible?
My config file:
http_poller {
urls => {
snowinc => {
url => "https://service-now.com"
user => "your_user"
password => "yourpassword"
headers => {Accept => "application/json"}
}
}
request_timeout => 60
metadata_target => "http_poller_metadata"
schedule => { cron => "* * * * * UTC"}
codec => "json"
}
}
filter
{
json {source => "result" }
split{ field => ["result"] }
}
output {
elasticsearch {
hosts => ["yourelastuicIP"]
index => "inc"
action=>update
document_id => "%{[result][number]}"
doc_as_upsert =>true
}
stdout { codec => rubydebug }
}
Sample Json input data, when the url is hit.
{"result":[
{
"made_sla":"true",
"Type":"incident resolution p3",
"sys_updated_on":"2019-12-23 05:00:00"
"business_time_left":" 59 Minutes"} ,
{
"made_sla":"true",
"Type":"incident resolution l1.5 p4",
"sys_updated_on":"2019-12-24 07:00:00"
"business_time_left":"3 Hours 24 Minutes"}]}
Thanks in advance!
Q: Is this possible?
A: Yes.
Assuming your json- and split-filters are working correctly and the field business_time_left holds a single value like you showed (e.g. 4 Days 23 Hours 58 Minutes) I personally would do the following:
First, make sure that your data is in a kind of pattern meaning, you standardize the "quantity-descriptions". This means that the minutes are always labeled as "Minutes" not Mins, min or whatever.
Nextup, you can parse the field with the grok-filter like so:
filter{
grok{
match => { "business_time_left" => "(%{INT:calc.days}\s+Days)?%{SPACE}?(%{INT:calc.hours}\s+Hours)?%{SPACE}?(%{INT:calc.minutes}\s+Minutes)?%{SPACE}?(%{INT:calc.seconds}\s+Seconds)?%{SPACE}?" }
}
}
This will extract all available values into the desired fields, e.g. calc.days. The ? character prevents that grok fails if e.g. there are no seconds. You can test the pattern on this site.
With the data extracted, you can implement a ruby filter to aggregate the numeric values like so (untested though):
ruby{
code => '
days = event.get("calc.days")
hours = event.get("calc.hours")
minutes = event.get("calc.minutes")
sum = 0
if days
days_numeric = days.to_i
days_as_hours = days_numeric * 24
sum += days_as_hours
end
if hours
sum += hours.to_i
end
if minutes
sum += (minutes.to_i / 100)
end
# seconds and so on ...
event.set("business_time_left_as_hours", sum)
'
}
So basically you check if the values are present and add them to a sum with your custom logic.
event.set("business_time_left_as_hours", sum) will set the result as a new field to the document.
These code snippets are not intended to be working out of the box they are just hints. So please check the documentations about the ruby filter, ruby coding in general and so on.
I hope I could help you.
Related
message.channel.bulkDelete(args[0]+1)
.then(messages => message.channel.send(`${emojiyes} Deleted **${messages.size}** messages!`) | console.log(`Deleted ${messages.size} messages!`))
This causes deleting for example 21 messages, not 2 (_clear 2 deletes 21 messages, not 3). Can someone help me?
args[0] is a string and when combing that with one you are getting "2"+1 which results in 21. If you convert the string to a number first, it will calculate correctly. By using the parseInt() function we can convert the string into a number.
message.channel.bulkDelete(parseInt(args[0])+1)
.then(messages => message.channel.send(`${emojiyes} Deleted **${messages.size}** messages!`) | console.log(`Deleted ${messages.size} messages!`))
I'd like to query a whole list of 250k items of ~15 bytes each.
Each item (some coordinates) is a 15 bytes string like that xxxxxx_xxxxxx_xxxxxx.
I'm storing them using this function :
function setLocation({id, lat, lng}) {
const str = `${id}_${lat}_${lng}`
client.lpush('locations', str, (err, status) => {
console.log('pushed:', status)
})
}
Using nodejs, doing a lrange('locations', 0, -1) takes between 10 seconds and 15 seconds.
Slowlog redis lab:
I tried to use sets, same results.
According to this post
This shouldn't take more than a few milliseconds.
What am I doing wrong here ?
Update:
I'm using an instance on Redis lab
All
I'm using logstash to ship logs from the remote server.
The message i got is a hash type like this:
[2014-12-06 23:59:57] 112.254.70.37 <AUDIO> {"type":"Stat", "eid":4800316, "mid":"87192133091532", "ccid":3228662, "ver":102, "ip":"114.113.200.227", "port":9081, "jitter":"0 0 0 0 0 ", "break":"0 0 0 0 0 ", "interrupt":"0 0 0 0 0 ", "tcp_rtt":"40 40 45 50 50 ", "udp_rtt":"31 33 35 40 35 ", "all_pkts":"107180 107193 107249 107323 107358 ", "lost":"0 0 0 0 0 ", "delay":"40.78", "pull":"3 3 3 3 3 "}
Then how can I write the grok part, I search the doc everywhere, but i still don't konw how...
thx!
First, you have to parse out your json data by grok filter. Then, use json filter to parse all the hashmap value. With this config I can parse your log and create all the field:value. Hope this can help you.
input {
stdin{
}
}
filter {
grok {
match => [ "message" , "\[%{TIMESTAMP_ISO8601:datatime}\] %{IP:ip} <%{WORD:level}> %{GREEDYDATA:data}"]
}
json {
source => "data"
}
}
output {
stdout{
codec => rubydebug
}
}
I am writing a puppet defined type as follows:
1 #--------------------------------------------------#
2 #-------------------WindowsLog---------------------#
3 #--------------------------------------------------#
4 # Type to set up a windows log #
5 #--------------------------------------------------#
6
7 define windows_log($size = '25MB', $overflowAction = 'OverwriteAsNeeded', $logName = $title)
8 {
9
10 #Microsoft is stupid. Get-WinEvent has different names for logmode than limit-eventlog.
11 #The following selector (basuically a ternary operator) should fix that
12 $overflowWinEventName = $overflowAction ? {
13 OverwriteAsNeeded => "Circular",
14 OverwriteOlder => "AutoBackup",
15 DoNotOverwrite => "Retain",
16 default => undef,
17 }
18
19 if($overflowWinEventName == undef)
20 {
21 fail("${$overflowAction} is not a valid overflow action")
22 }
23 else{
24 exec { "Set maximum log size for ${logName}":
25 provider => powershell,
26 command => "Limit-EventLog -LogName ${logName} -MaximumSize ${size} -OverflowAction ${overflowAction}",
27 unless => "\$log = Get-WinEvent -ListLog ${logName}; if(\$log.MaximumSizeInBytes -eq ${size} -and \$log.LogMode -eq '${overflowWinEventName}'){exit 0}else{exit 1}",
28 }
29 }
30 }
However the method 'fail' does not have the effect I want, and none of the methods listed at http://docs.puppetlabs.com/references/latest/function.html seem to be right either.
Basically I am trying to get puppet to throw an error for this specific resource only, stop applying it, and then continue applying everything else. Fail throws a parser error which kills everything, and the other methods (warn, error, etc) seem to have no effect on the agent.
Any help would be greatly appreciated! I may have just stupidly overlooked something.
Your construct is basically sound. Defined resources cannot really 'fail' like native resources, but using your if/else construct, it will only do any work if there is no error.
Use fail() only if you detect an error that should make the whole catalog invalid. To just send a message to the agent, use a notify resource instead.
notify {
"FATAL - ${overflowAction} is not a valid overflow action":
loglevel => 'err',
withpath => true; # <- include the fully qualified resource name
}
I'm trying to programmatically query senderbase.org but it's really hard to find any information about it.
I tried to query with:
dig txt 8.8.8.8.query.senderbase.org
Which returns:
"0-0=1|1=Google Incorporated|2=3.7|3=4.0|4=3228772|6=1174353533|8=2880|9=1|20=google-public-dns-a.|21=google.com|22=Y|23=7.9|24=8.0|25=1049184000|40=3.7|41=4.0|43=3.8|44=0.06|45=N|46=24|48=24|49=1.00|50=Mountain View|51=CA|52=94043|53=US|54=-122.057|"
But none of these fields seems to indicate if the IP is listed or not.
I found the following page with a description of the fields. But field 26, which seems to be what i need, is not present ( http://web.archive.org/web/20040830010414/http://www.senderbase.org/dnsresponses.html ).
I also found some SpamAssassin extensions which were querying rf.senderbase.org but it gives me inconsistent results. For the same field, sometimes it returns a float and sometimes it doesn't return anything.
Any ideas? Or parsing their html is the only option?
Thanks.
The key values are as follows
'0-0' => 'version_number',
1 => 'org_name',
2 => 'org_daily_magnitude',
3 => 'org_monthly_magnitude',
4 => 'org_id',
5 => 'org_category',
6 => 'org_first_message',
7 => 'org_domains_count',
8 => 'org_ip_controlled_count',
9 => 'org_ip_used_count',
10 => 'org_fortune_1000',
20 => 'hostname',
21 => 'domain_name',
22 => 'hostname_matches_ip',
23 => 'domain_daily_magnitude',
24 => 'domain_monthly_magnitude',
25 => 'domain_first_message',
26 => 'domain_rating',
40 => 'ip_daily_magnitude',
41 => 'ip_monthly_magnitude',
43 => 'ip_average_magnitude',
44 => 'ip_30_day_volume_percent',
45 => 'ip_in_bonded_sender',
46 => 'ip_cidr_range',
47 => 'ip_blacklist_score',
50 => 'ip_city',
51 => 'ip_state',
52 => 'ip_postal_code',
53 => 'ip_country',
54 => 'ip_longitude',
55 => 'ip_latitude',
The "domain rating" specified in SenderBase DNS responses is something that was implemented but never utilized, or at least not enough to make it useful. Other fields that were originally specified are a little hit-or-miss as well, although most should be pretty fresh for higher-volume senders of email. You might want to check out the Perl Net::SenderBase library, either to use it directly or as a reference for your own implementation.
The rf.senderbase.org domain you referred to reflects SenderBase Reputation Scores (SBRS), which is mostly independent from what you see on http://www.senderbase.org. SBRS is not considered a public service, so it would be wise to receive permission from Cisco/IronPort before using it for anything serious.