Adding tags

Salma · April 4, 2018, 4:58pm

Hi,
I'm trying to add some tags based on a given array.
if the request was equal to one of the values that are on the tags, then I want Logstash to tag it as normal, else abnormal.

Following is my code, but unfortunately, it is tagging all data as abnormal

input { 
 file {
  path => "/*"
  start_position => "beginning"
  sincedb_path => "/dev/null"
  tags => ["/index.html", "/"]
  }
}



filter {
  grok {    match => { "message" => '%{IPV4:clientip} %{NOTSPACE:ER} %{NOTSPACE:EO} \[%{HTTPDATE:timestamp}\] \"%{NOTSPACE:Method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:HTTPStatus} %{NOTSPACE:ObjectSize} %{QS:referrer} %{QS:User_Agent}'   }  }
.
.
.
.

   if "request" in [tags] {   mutate {add_tag => [ "normal" ] } } 
   else {   mutate {add_tag => [ "abnormal" ] }   }
 
  }

Badger · April 4, 2018, 5:12pm

If you want to test whether grok added a request field to the event then use this. It is not a tag.

if [request] { ... }

Or perhaps test for the _grokparsefailure tag.

Salma · April 4, 2018, 7:29pm

Problem solved using ruby filter

filter {
  grok {    match => { "message" => '%{IPV4:clientip} %{NOTSPACE:ER} %{NOTSPACE:EO} \[%{HTTPDATE:timestamp}\] \"%{NOTSPACE:Method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:HTTPStatus} %{NOTSPACE:ObjectSize} %{QS:referrer} %{QS:User_Agent}'   }  }
.
.
.
.

     mutate {add_field => { "activity" => "abnormal" } }
         
    ruby {
        code => 'ary=["/index.html", "/"]
        if ary.include?event.get("request".to_s)
          event.set("activity", "normal".to_s)
          end'
      }}

Topic		Replies	Views
Adding tags to logs Logstash	8	819	August 31, 2017
Add a tag if a field exists Logstash	4	11878	September 21, 2017
Logstash add tag Logstash	1	856	February 25, 2020
Logstash filter issue with tags Logstash	1	563	January 11, 2017
How to add a tag based on input data Logstash	5	16525	February 9, 2020

Adding tags

Related topics