Logstash 필터 ruby - 7th

ruby 필터를 이용한 숫자 검사.

filter {
 mutate {
  remove_field => ["@timestamp", "@version", "path", "host"]
 }

 dissect {
  mapping => {"message" => '%{}"%{}" %{status} %{}'}
  convert_datatype => {"status" => "int"}
 }

ruby {
  code => "
   for i in [2,3,4,5]
    if event.get('status').match(/#{i}\d+/)
     j = i * 100
     event.set('status2', j)
    end
   end
  "
 }
}

[2025-03-28T12:53:15,072][ERROR][logstash.filters.ruby    ][main][9cea864b7137d9fe155b8bc242225c2bc2889d096d10ad7be31764fb047da980] 
Ruby exception occurred: undefined method `match' for 200:Integer
Did you mean?  catch {:class=>"NoMethodError", :backtrace=>["(ruby filter code):4:in `block in register'", "org/jruby/RubyArray.java:1981:in `each'", "(ruby filter code):1:in `block in register'", "D:/ELK/logstash-8.17.0/vendor/bundle/jruby/3.1.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "D:/ELK/logstash-8.17.0/vendor/bundle/jruby/3.1.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "D:/ELK/logstash-8.17.0/logstash-core/lib/logstash/filters/base.rb:158:in `do_filter'", "D:/ELK/logstash-8.17.0/logstash-core/lib/logstash/filters/base.rb:176:in `block in multi_filter'", "org/jruby/RubyArray.java:1981:in `each'", "D:/ELK/logstash-8.17.0/logstash-core/lib/logstash/filters/base.rb:173:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:133:in `multi_filter'", "D:/ELK/logstash-8.17.0/logstash-core/lib/logstash/java_pipeline.rb:308:in `block in start_workers'"]}
{
       "tags" => [
        [0] "_rubyexception"
    ],
    "message" => "1.2.3.4 - - [12/Oct/2015:02:42:00 +0900] \"GET /bbs/view.html HTTP/1.1\" 404 37727\r",
     "status" => 404
}
{
       "tags" => [
        [0] "_rubyexception"
    ],
    "message" => "192.168.56.1 - - [12/Oct/2015:02:42:00 +0900] \"GET /bbs/view.php?board_id=kor%5Fmedia&gul_no=1106&idx=17&m=4&upage=25&tpage=&PAGE=4 HTTP/1.1\" 200 37727\r",
     "status" => 200
}

왜 검사를 못하지? 그분께 물어봤다.

match 메서드는 문자열만 검사할 수 있다고 알려주는 chatgpt느님(..) 가르쳐준대로 수정.

filter {
 mutate {
  remove_field => ["@timestamp", "@version", "path", "host"]
 }

 dissect {
  mapping => {"message" => '%{}"%{}" %{status} %{}'}
  convert_datatype => {"status" => "int"}
 }

 ruby {
  code => "
   for i in [2,3,4,5]
    if event.get('status').to_s.match(/#{i}\d+/)
     j = i * 100
     event.set('status2', j)
    end
   end
  "
 }
}

{
    "status2" => 400,
    "message" => "1.2.3.4 - - [12/Oct/2015:02:42:00 +0900] \"GET /bbs/view.html HTTP/1.1\" 404 37727\r",
     "status" => 404
}
{
    "status2" => 200,
    "message" => "192.168.56.1 - - [12/Oct/2015:02:42:00 +0900] \"GET /bbs/view.php?board_id=kor%5Fmedia&gul_no=1106&idx=17&m=4&upage=25&tpage=&PAGE=4 HTTP/1.1\" 200 37727\r",
     "status" => 200
}

관련 글

• Logstash 필터 ruby - 6th
• Logstash 필터 ruby
• Logstash 필터 grok
• Logstash 필터 mutate
• Logstash 필터 geoip
• Logstash 필터 dissect
• Logstash 필터 kv
• Logstash 필터 date
• Logstash 필터 translate
• Logstash 필터 drop
• Logstash 필터 useragent
• Logstash 필터 elapsed
• Logstash 필터 fingerprint
• Logstash 필터 csv
• Logstash 필터 dns
• Logstash 필터 split
• Logstash codec 플러그인 multiline