Logstash extractnumbers Filter Plugin

Pulse - Elasticsearch Operations Done Right

On this page

Syntax Example Use Case Common Issues and Best Practices Frequently Asked Questions

The extractnumbers filter plugin for Logstash is designed to extract numeric values from strings in log data. This plugin is particularly useful when dealing with unstructured log messages that contain numeric information embedded within text. It can extract both integer and floating-point numbers, making it versatile for various data processing needs.

Syntax

filter {
  extractnumbers {
    source => "field_name"
    target => "new_field_name"
    tag_on_failure => ["_extractnumbersfailure"]
  }
}

For more detailed information, refer to the official Logstash extractnumbers filter plugin documentation.

Example Use Case

Suppose you have log entries containing various metrics embedded in text, such as:

CPU usage peaked at 85.5% during the backup process.

You can use the extractnumbers filter to extract the numeric value:

filter {
  extractnumbers {
    source => "message"
    target => "cpu_usage"
  }
}

This configuration will create a new field called "cpu_usage" with the value 85.5.

Common Issues and Best Practices

  1. Multiple numbers: If the source field contains multiple numbers, the plugin will extract all of them into an array. Be prepared to handle array outputs in your subsequent processing.

  2. Non-numeric data: The plugin will ignore non-numeric data. Ensure that your source field actually contains numeric values to extract.

  3. Performance: While generally efficient, extracting numbers from large volumes of data can impact performance. Monitor your Logstash performance when using this plugin on high-volume data streams.

  4. Decimal separator: The plugin assumes the decimal separator is a period (.). If your data uses a different decimal separator, you may need to preprocess the data.

  5. Negative numbers: The plugin can handle negative numbers, but be aware of potential issues with minus signs used in non-numeric contexts.

Frequently Asked Questions

Q: Can the extractnumbers filter handle scientific notation?
A: Yes, the extractnumbers filter can extract numbers in scientific notation (e.g., 1.23e-4).

Q: What happens if no numbers are found in the source field?
A: If no numbers are found, the target field will not be created, and the event will be tagged with "_extractnumbersfailure" (unless you've specified a different tag_on_failure).

Q: Can I extract only integers or only floating-point numbers?
A: The extractnumbers filter extracts all numeric values by default. To extract only integers or floating-point numbers, you would need to use additional filtering or conditionals after extraction.

Q: Does the extractnumbers filter work with numbers written as words?
A: No, the extractnumbers filter only extracts numeric digits. It cannot convert words like "five" or "five million" into numbers.

Q: Can I use regular expressions with the extractnumbers filter?
A: The extractnumbers filter doesn't directly support regular expressions. If you need more complex pattern matching, you might need to use the grok filter in combination with extractnumbers.

Pulse - Elasticsearch Operations Done Right

Pulse can solve your Elasticsearch issues

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.