0

I am trying to capture IP address field from incoming logstash event and pass it on to a shell script to compare against a static black list. The issue is, I am able to print the IP addr using puts but not able to capture to pass it on to system() call in ruby filter. Here is my sample config.

I am using logstash 2.0

Sample input = {"name":"xyz", "source_ip":"8.8.8.8"}

input {

        stdin {
        codec => json
        }
}

filter {

        ruby {
        code => "
        # puts event['source_ip']  # This always works
        ip = event['source_ip']
        system('echo ${ip}')       # This echoes ${ip} instead of value !
        "
        }
}

I also tried 'echo #${ip}' but it just prints 0.

Deep
  • 1
  • 1
  • 2
  • It doesn't answer your ruby question, but have you considered the translate{} filter? – Alain Collins Mar 03 '16 at 19:30
  • I wasn't aware of translate{}, just looked at it. This is a good idea but a lot of other things in my conf file are already done using ruby filter which I think is more flexible. exec() and pipe() output plugins do not make sense in my use case. I would love to do this in ruby itself, I am sure it is something basic I am missing. – Deep Mar 04 '16 at 03:04
  • If you have time, it would be nice to edit your question to reflect the fact that newer versions of logstash do not support direct access to fields like your `event['source_ip']`. You can now access those fields using the accessor form: `event.get('source_ip')`. Cheers! – daplho May 04 '17 at 20:47

1 Answers1

0

Instead of system('echo ${ip}') use below syntax to run shell commands:

puts `echo #{ip}`

Calling shell commands from Ruby

Community
  • 1
  • 1
jijinp
  • 2,592
  • 1
  • 13
  • 15