I am trying to add new filed in grok filter which supposed to an arithmetic expression of the fields that are extracted by grok match command.

Unfortunately was not able to figure out the correct syntax for that... Anybody?

I found somewhere that {(8*6)} supposed to return 48, but what about variables instead of constants?

====
`if [type] == "f5" {
      grok {
        match => [ message, "...%{WORD:was_status}...%{NUMBER:hour}hr:%{NUMBER:min}min:%{NUMBER:sec}sec" ]
        add_field  => [ "duration_%{was_status}", "\{((%{hour} * 3600) + (%{min} * 60) + %{sec})}" ]
      }
    }`    
====

got the result, but EVAL obviously not working correctly:

message: ....   [ was down for 0hr:0min:4sec ]
duration_down   \`{((0 * 3600) + (0 * 60) + 4)}`

Thanks a lot, Yuri

There is an outstanding feature request for a math filter, but I'm not aware of any such feature at this time.

In the meantime, you can use the ruby filter to run arbitrary Ruby code on your event.

Here's a simple example:

input {
    generator {
        count => 1
        message => "1 2 3"
    }
}

filter {
    grok {
        match => ["message", "%{NUMBER:a:int} %{NUMBER:b:int} %{NUMBER:c:int}"]
    }
    ruby {
        code => "event['sum'] = event['a'] + event['b'] + event['c']"
    }
}

output {
    stdout {
        codec => rubydebug{}
    }
}

Note that grok will usually parse values into strings. If I hadn't converted them to integers, Ruby would have handled the + operator as a string concatenation (and sum would end up equaling 123).

Your ruby filter might look more like this:

ruby {
    code => "event['duration_down'] = event['hour']*3600 + event['min']*60 + event['sec']"
}