Logstash bytes Filter Plugin

Pulse - Elasticsearch Operations Done Right

On this page

Syntax Example Use Case Common Issues and Best Practices Frequently Asked Questions

The Logstash bytes filter plugin is used to convert human-readable byte size strings (e.g., "123 MB", "1.5 GB") into their corresponding numeric byte values. This plugin is particularly useful when dealing with log data that contains file sizes or memory usage in human-readable formats, allowing for easier analysis and comparison of these values.

Syntax

The basic syntax for the bytes filter plugin is:

filter {
  bytes {
    field => "field_name"
    target => "target_field"
  }
}

For more detailed information, refer to the official Logstash bytes filter plugin documentation.

Example Use Case

Suppose you have log entries containing file sizes in human-readable format, and you want to convert them to numeric byte values for easier analysis:

filter {
  bytes {
    field => "file_size"
    target => "file_size_bytes"
  }
}

Input event:

{
  "file_size": "1.5 GB"
}

Output event:

{
  "file_size": "1.5 GB",
  "file_size_bytes": 1610612736
}

Common Issues and Best Practices

  1. Ensure that the input field contains valid byte size strings. The plugin may not work correctly with malformed input.
  2. Be aware that the plugin converts values to bytes, which can result in large numbers. Consider using a mutate filter to convert to MB or GB if needed.
  3. The plugin supports various units (B, KB, MB, GB, TB, PB), but make sure your input data uses consistent units to avoid confusion.

Frequently Asked Questions

Q: Can the bytes filter handle fractional values?
A: Yes, the bytes filter can handle fractional values like "1.5 GB" and convert them accurately to their byte equivalent.

Q: What happens if the input field doesn't contain a valid byte size string?
A: If the input field doesn't contain a valid byte size string, the plugin will not modify the field, and no error will be raised. It's a good practice to validate your input data before applying the filter.

Q: Can I use the bytes filter to convert from bytes to human-readable format?
A: No, the bytes filter is designed to convert from human-readable format to bytes. To convert from bytes to human-readable format, you would need to use a different approach, such as a custom Ruby filter.

Q: Does the bytes filter support case-insensitive unit parsing?
A: Yes, the bytes filter is case-insensitive when parsing units. Both "MB" and "mb" will be recognized as megabytes.

Q: Can I use the bytes filter with array fields?
A: Yes, if the specified field is an array, the filter will process each element of the array individually, converting any valid byte size strings to their numeric byte values.

Pulse - Elasticsearch Operations Done Right

Pulse can solve your Elasticsearch issues

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.