Logstash: Sum Two or More Fields using Ruby Filter

Minh Vu

By Minh Vu

Updated Dec 01, 2023

Figure: Logstash: Sum Two or More Fields using Ruby Filter

Disclaimer: All content on this website is derived directly from my own expertise and experiences. No AI-generated text or automated content creation tools are used.

In this tutorial, I will show you how to sum up two or more fields in Logstash using the Ruby filter.

With the Ruby filter, you can write any Ruby code just like other programming languages. So you can perform complex operations that Logstash doesn't support.

Contents

How to Sum Two Fields in Logstash

To sum up two or more fields in Logstash, you can use the ruby filter with the + operator.

logstash.conf
filter {
  ruby {
    code => '
      event.set("total", event.get("field1") + event.get("field2"))
    '
  }
}

For example, I have the following Logstash event:

example.log
{
  "field1": 1,
  "field2": 2
}

Using the above Ruby code, I can sum the two fields and store the result in a new field called total.

output.log
{
  "field1": 1,
  "field2": 2,
  "total": 3
}

How to Sum Two Num String Fields in Logstash

If you want to sum two num string fields in Logstash, you need to convert them to numbers first using the to_i method inside the ruby filter.

logstash.conf
filter {
  ruby {
    code => '
      event.set("total", event.get("field1").to_i + event.get("field2").to_i)
    '
  }
}

There are different types of num string field conversions:

  • to_i converts a string to an integer (most common).
  • to_f converts a string to a float (most common).
  • to_r converts a string to a rational number.
  • to_c converts a string to a complex number.

Here is the result if we apply the to_i method to convert the two fields to integers.

output.log
{
  "field1": "1",
  "field2": "2",
  "total": 3
}

Without using the to_i method, it will be a string concatenation instead of a sum.

output.log
{
  "field1": "1",
  "field2": "2",
  "total": "12"
}

How to Sum Two Fields in Logstash with Condition

You can also sum two fields in Logstash based on a condition using the if statement inside the ruby filter.

For example, you want to sum two fields only if they are both integers.

logstash.conf
filter {
  ruby {
    code => '
      if event.get("field1").is_a?(Integer) && event.get("field2").is_a?(Integer)
        event.set("total", event.get("field1") + event.get("field2"))
      end
    '
  }
}

Then the total field will only be added if both field1 and field2 are integers.

example.log
{
  "field1": 1.5,
  "field2": 2
}
output.log
{
  "field1": 1.5,
  "field2": 2
  // total field is not added as field1 is a float
}

How to Sum Two Fields in Logstash if Both Exist

You can sum two fields in Logstash if both exist using the + operator inside the ruby filter.

logstash.conf
filter {
  ruby {
    code => '
      if event.get("field1") && event.get("field2")
        event.set("total", event.get("field1") + event.get("field2"))
      end
    '
  }
}

So the total field will only be added if both field1 and field2 exist.

example.log
{
  "field1": 1,
  "field100": 2
}
output.log
{
  "field1": 1,
  "field100": 2
  // total field is not added as field2 does not exist
}

Conclusion

You have learned how to sum up two or more fields in Logstash using the Ruby filter.

I also gathered different use cases when summing two fields in Logstash so that you can apply them to your use cases.

If anything should be added or changed, please leave a comment below.

Minh Vu

Minh Vu

Software Engineer

Hi guys 👋, I'm a developer specializing in Elastic Stack and Next.js. My blog shares practical tutorials and insights based on 3+ years of hands-on experience. Open to freelance opportunities — let's get in touch!

Comments

Be the first to comment!

Leave a Comment

Receive Latest Updates 📬

Get every new post, special offers, and more via email. No fee required.