Logstash giving _rubyexception while adding a field and altering its value

Question

Logstash version 6.5.4

I want to create jobExecutionTime field when status is COMPLETE and set its value as current_timestamp-created_timestamp .

These are few lines from my config file.

        match => { "message" => '%{DATA:current_timestamp},%{WORD:status},%{DATA:created_timestamp}}

if [status] == "COMPLETE" {
        mutate {
            add_field => [ "jobExecutionTime" , "null" ]
        }

        ruby {
            code => "event.set('jobExecutionTime', event.get('current_timestamp') - event.get('created_timestamp'))"
        }
    }

This my input

"created_timestamp" => "2022-07-10 23:50:03.644"
"current_timestamp" => "2022-07-10 23:50:03.744"
"status" => "COMPLETE"

I am getting this as output

              "jobExecutionTime" => "null",
              "exportFrequency" => "RECURRENT",
               "successfulImportMilestone" => 0,
                         "tags" => [
        [0] "_rubyexception"
    ],

Here jobExecutionTime is set to null rather than concerned value

Answer 1

Your [created_timestamp] and [current_timestamp] fields are strings. You cannot do math on a string, you need to convert it an object type that you can do math on. In this case you should use date filters to convert them to LogStash::Timestamp objects

If you add

    date { match => [ "created_timestamp", "ISO8601" ] target => "created_timestamp" }
    date { match => [ "current_timestamp", "ISO8601" ] target => "current_timestamp" }

to your filter section then your ruby filter will work as-is, and you will get

"created_timestamp" => 2022-07-11T03:50:03.644Z,
"current_timestamp" => 2022-07-11T03:50:03.744Z,
 "jobExecutionTime" => 0.1