By Minh Vu
Updated Dec 01, 2023
Minh Vu
Software Engineer
Hi 👋, I'm a software engineer specializing in backend systems, distributed systems, and scalable architecture. My blog shares practical tutorials based on 3+ years of experience. LeetCode 1756 (Top 10%). Actively seeking SDE roles — let's get in touch!
Leave a Comment
Receive Latest Updates 📬
Get every new post, special offers, and more via email. No fee required.
In this tutorial, I will show you how to sum up two or more fields in Logstash using the Ruby filter.
With the Ruby filter, you can write any Ruby code just like other programming languages. So you can perform complex operations that Logstash doesn't support.
To sum up two or more fields in Logstash, you can use the ruby filter with the + operator.
filter { ruby { code => ' event.set("total", event.get("field1") + event.get("field2")) ' } }
For example, I have the following Logstash event:
{ "field1": 1, "field2": 2 }
Using the above Ruby code, I can sum the two fields and store the result in a new field called total.
{ "field1": 1, "field2": 2, "total": 3 }
If you want to sum two num string fields in Logstash, you need to convert them to numbers first using the to_i method inside the ruby filter.
filter { ruby { code => ' event.set("total", event.get("field1").to_i + event.get("field2").to_i) ' } }
There are different types of num string field conversions:
to_i converts a string to an integer (most common).to_f converts a string to a float (most common).to_r converts a string to a rational number.to_c converts a string to a complex number.Here is the result if we apply the to_i method to convert the two fields to integers.
{ "field1": "1", "field2": "2", "total": 3 }
Without using the to_i method, it will be a string concatenation instead of a sum.
{ "field1": "1", "field2": "2", "total": "12" }
You can also sum two fields in Logstash based on a condition using the if statement inside the ruby filter.
For example, you want to sum two fields only if they are both integers.
filter { ruby { code => ' if event.get("field1").is_a?(Integer) && event.get("field2").is_a?(Integer) event.set("total", event.get("field1") + event.get("field2")) end ' } }
Then the total field will only be added if both field1 and field2 are integers.
{ "field1": 1.5, "field2": 2 }
{ "field1": 1.5, "field2": 2 // total field is not added as field1 is a float }
You can sum two fields in Logstash if both exist using the + operator inside the ruby filter.
filter { ruby { code => ' if event.get("field1") && event.get("field2") event.set("total", event.get("field1") + event.get("field2")) end ' } }
So the total field will only be added if both field1 and field2 exist.
{ "field1": 1, "field100": 2 }
{ "field1": 1, "field100": 2 // total field is not added as field2 does not exist }
You have learned how to sum up two or more fields in Logstash using the Ruby filter.
I also gathered different use cases when summing two fields in Logstash so that you can apply them to your use cases.
If anything should be added or changed, please leave a comment below.
Next.js SEO: The Complete Checklist to Boost Your Site Ranking
Next.js JSON-LD: How to Add Structured Data to Your Website
Logstash: How to Remove Field using Mutate Filter
Logstash Conditionals: Using if/else to Control Log Flow
Logstash: Add Field to Event with Mutate Filter
Comments