I have following filer added to have a tag: "alert" added to logs coming from All Prod servers when the log-level is ERROR
It does add the "alert" tag to logs from Prod servers when the loglevel is ERROR. However, when the Logs are coming from Prod servers and loglevel is not equal to ERROR, a tag grokparsefailure is added. Below is my filter.
if [type] == "SomeServer1-Prod" or [type] == "SomeServer2-Prod" or [type] == "SomeServer3-Prod" or [type] == "Someserver4-Prod" {
grok {
match => ["log-level", "ERROR"]
match => ["log-level", "error"]
add_tag => ["alert"]
}
That is the expected behavior of grok. And using grok to just check a field's value is hardly recommended.
You can just use conditionals to check for the value instead, like so
if [log-level] in ["ERROR", "error"] {
mutate {
add_tag => ["alert"]
}
}
if [type] == "SomeServer1-Prod" or [type] == "SomeServer2-Prod" or [type] == "SomeServer3-Prod" or [type] == "Someserver4-Prod" {
if [log-level] in ["ERROR", "error"] {
mutate {
add_tag => ["alert"]
}
}
For below conditional, Logstash throws error and shuts down.
if [type] == "ServerWeb-QA"
{
if ["ERROR", "error"] in [log-level]
{
mutate
{
add_tag => ["alert"]
}
}
}
Error I get is:
Exception in pipelineworker, the pipeline stopped processing new events,please check your filter configuration and restart Logstash. {"exception"=>#<TypeError: can't convert Array into String>, "backtrace"=>["org/jruby/RubyString.j ava:4462:in `include?'", "(eval):226:in `cond_func_6'", "org/jruby/RubyArray.jav a:1613:in `each'", "(eval):224:in `cond_func_6'", "(eval):241:in `cond_func_5'","org/jruby/RubyArray.java:1613:in `each'", "(eval):238:in `cond_func_5'", "(eva l):147:in `filter_func'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-c ore-2.2.4-java/lib/logstash/pipeline.rb:259:in `filter_batch'", "org/jruby/RubyA rray.java:1613:in `each'", "org/jruby/RubyEnumerable.java:852:in `inject'", "/op t/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pi peline.rb:257:in `filter_batch'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/lo gstash-core-2.2.4-java/lib/logstash/pipeline.rb:215:in `worker_loop'", "/opt/log stash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipelin e.rb:193:in `start_workers'"], :level=>:error}
TypeError: can't convert Array into String
include? at org/jruby/RubyString.java:4462
cond_func_6 at (eval):226
each at org/jruby/RubyArray.java:1613
cond_func_6 at (eval):224
cond_func_5 at (eval):241
each at org/jruby/RubyArray.java:1613
cond_func_5 at (eval):238
filter_func at (eval):147
filter_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:259
each at org/jruby/RubyArray.java:1613
inject at org/jruby/RubyEnumerable.java:852
filter_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:257
worker_loop at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:215
start_workers at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:193
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.