Logstash mutate gsub not working inside "if" statement - logstash

i have an issue using logstash mutate filter gsub.
Required
Remove "ZC" characters of a field and coverting it into float
{
"field" => "12.343,40ZC",
"#timestamp" => 2020-01-06T23:00:00.000Z
}
Expected output
{
"field" => "-12343,40",
"#timestamp" => 2020-01-06T23:00:00.000Z
}
Code not working
filter{
if "ZC" in "field" {
mutate { gsub => ["field","ZC",""] }
}
}
Code working
filter{
mutate { gsub => ["field","ZC",""] }
}
I need the "if" statement because depends if the two characters exist inside the field to make a positive or negative float.

Your conditional is wrong, if you use "field" logstash understands that as a string with the value field, the correct way is to use the format [field].
Change your conditional to the following.
filter {
if "ZC" in [field] {
mutate { gsub => ["field","ZC",""] }
}
}

Related

match multiple date formats with logstash date filter plugin

I have a date in my logs like below formats,
YYYY-M-dd and YYYY-MM-d and YYYY-M-d
2020-9-21
2020-11-1
2020-9-1
date filter plugin match with
date {
match => [ "event_date" ,"yyyy-MM-dd"]
}
Some logs I get date parse exception because of this. Is it possible to match all of these. I means match this format if not match another date format.
The error is
"failed to parse field [event_date] of type [date] in document with id '...'. Preview of field's value: '2017-11-2'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"failed to parse date field [2017-11-2] with format [strict_date_optional_time||epoch_millis]", "caused_by"=>{"type"=>"date_time_parse_exception", "reason"=>"date_time_parse_exception: Failed to parse with all enclosed parsers"}}}}}}
How can i solve it ? Thanks for answering
One of a solution is to have a mechanism like a switch implemented by the date filter with the tag_on_failure value. It looks like this :
filter{
date {
match => [ "event_date" ,"yyyy-MM-dd"]
tag_on_failure => [ "not_format_date1"]
}
if "not_format_date1" in [tags] {
date {
match => [ "event_date" ,"yyyy-MM-d"]
tag_on_failure => [ "not_format_date2"]
}
}
if "not_format_date2" in [tags] {
date {
match => [ "event_date" ,"yyyy-M-d"]
tag_on_failure => [ "no_format"]
}
}
}
I have tried first answer but didn't solve my issue. #YLR's way also good way to improve.
I have solved my question with changing fields like M to MM with if conditions. Below is an example.
if [monthday] == "1"{
mutate {
update => { "monthday" => "01" }
}
}else if [monthday] == "2"{
mutate {
update => { "monthday" => "02" }
}
}else if [monthday] == "3"{
mutate {
update => { "monthday" => "03" }
}
}
....
That solved my question but its little bit hard way.

Grok returns array instead of single string

I'm new to grok and I have run into this issue that I just don't know how to solve.
Below is my grok match:
grok {
match => { "source" => "/var/log/nginx/sites/\b\w+\b/\b\w+\b/\b\w+\b/%{DATA:uuid}/" }
}
mutate {
add_field => {
"read_timestamp" => "%{#timestamp}"
"token" => "%{[fields][token]}"
"logzio_codec" => "%{[fields][logzio_codec]}"
"uuid" => "%{uuid}"
"type" => "%{[fields][type]}"
"category" => "%{[fields][category]}"
}
}
for some reason, the uuid is matched and resulted in array of 2 uuid (duplicated values). Instead of uuid_string I get [uuid_string, uuid_string]
I tried on https://grokdebug.herokuapp.com/ and got what I expected so I wonder what is wrong?
So once again I misunderstand how grok works. It seems like once the match is done, all the fields are already added to the output. The additional add_field uuid in the mutate thus causes the field to be added twice and logstash then thinks it's an array.

Logstash - Converting String to an Integer

In my Logstash I have below configuration:
filter {
mutate {
add_field => {
"doclength" => "%{size}"
}
convert => {"doclength" => "integer"}
remove_field => ["size"]
}
}
I intend to store the field "doclength" into ElasticSearch as an integer. But somehow in ES, it shows mapping as "string" only.
Not sure what I am missing in here, the expected behavior is not matching up with the actual one.
Try this one, it worked on my machine.
filter {
mutate {
convert => {"size" => "integer"}
rename => { "size" => "doclength" }
}
}

Logstash jdbc plugin understanding

Can anyone explain what does add_field do ?
filter {
mutate {
add_field => { "%{column1}" => "column2" }
}
}
What is the difference between add_field present in mutate, clone, kv and grok plugins
With this config, add_fields adds a new field to the message, the fieldname will be equal to the value of the 'column1' field in the input, and its value will be the litteral 'column2'. If you want the value to be the value of the input field, you have to use %{column2}

How to add a new dynamic value(which is not there in input) to logstash output?

My input has timestamp in the format of Apr20 14:59:41248 Dataxyz.
Now in my output i need the timestamp in the below format:
**Day Month Monthday Hour:Minute:Second Year DataXYZ **. I was able to remove the timestamp from the input. But I am not quite sure how to add the new timestamp.
I matched the message using grok while receiving the input:
match => ["message","%{WORD:word} %{TIME:time} %{GREEDYDATA:content}"]
I tried using mutate add_field.but was not successful in adding the value of the DAY. add_field => [ "timestamp","%{DAY}"].I got the output as the word ´DAY´ and not the value of DAY. Can someone please throw some light on what is being missed.
You need to grok it out into the individual named fields, and then you can reference those fields in add_field.
So your grok would start like this:
%{MONTH:month}%{MONTHDAY:mday}
And then you can put them back together like this:
mutate {
add_field => {
"newField" => "%{mday} %{month}"
}
}
You can check with my answer, I think this very helpful to you.
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:time} \[%{NUMBER:thread}\] %{LOGLEVEL:loglevel} %{JAVACLASS:class} - %{GREEDYDATA:msg}" }
}
if "Exception" in [msg] {
mutate {
add_field => { "msg_error" => "%{msg}" }
}
}
You can use custom grok patterns to extract/rename fields.
You can extract other fields similarly and rearrange/play arounnd with them in mutate filter. Refer to Custom Patterns for more information.

Resources