Adding tags

Elastic Stack Logstash
1

Hi,
I'm trying to add some tags based on a given array.
if the request was equal to one of the values that are on the tags, then I want Logstash to tag it as normal, else abnormal.

Following is my code, but unfortunately, it is tagging all data as abnormal

input { 
 file {
  path => "/*"
  start_position => "beginning"
  sincedb_path => "/dev/null"
  tags => ["/index.html", "/"]
  }
}



filter {
  grok {    match => { "message" => '%{IPV4:clientip} %{NOTSPACE:ER} %{NOTSPACE:EO} \[%{HTTPDATE:timestamp}\] \"%{NOTSPACE:Method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:HTTPStatus} %{NOTSPACE:ObjectSize} %{QS:referrer} %{QS:User_Agent}'   }  }
.
.
.
.

   if "request" in [tags] {   mutate {add_tag => [ "normal" ] } } 
   else {   mutate {add_tag => [ "abnormal" ] }   }
 
  }
2

If you want to test whether grok added a request field to the event then use this. It is not a tag.

if [request] { ... }

Or perhaps test for the _grokparsefailure tag.

3

Problem solved using ruby filter

filter {
  grok {    match => { "message" => '%{IPV4:clientip} %{NOTSPACE:ER} %{NOTSPACE:EO} \[%{HTTPDATE:timestamp}\] \"%{NOTSPACE:Method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:HTTPStatus} %{NOTSPACE:ObjectSize} %{QS:referrer} %{QS:User_Agent}'   }  }
.
.
.
.

     mutate {add_field => { "activity" => "abnormal" } }
         
    ruby {
        code => 'ary=["/index.html", "/"]
        if ary.include?event.get("request".to_s)
          event.set("activity", "normal".to_s)
          end'
      }}
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.