Alternate to multiple if..else-if in Logstash .conf file

anisen · March 24, 2017, 4:59am

Hi,

In my log file, there is a URI field.

Now, I have added another field named 'user_operation' with a default value and want to assign different values to this 'user_operation' field depending on the value of the URI field.

In the log file, there are around 100 different URIs and I want to assign different user_operation values for each of them.

Currently I am using IF..ELSE-IF..ELSE-IF..ELSE-IF... and so on

if [uri] =~ "/_mysite/login.asmx"{
mutate {
update => {
"user_operation" => "User Login"
}
}
}
else if [uri] =~ "/_mysite/Pages/PlaceOrder.aspx"{
mutate {
update => {
"user_operation" => "Place Order"
}
}
}
else if [uri] =~ "/_mysite/LogOut.asmx"{
mutate {
update => {
"user_operation" => "Logout"
}
}
}
.....
..... and so on.

Its working.
But, I am not sure how it will impact the performance if there are so many if..else-if conditions in the logstash conf file.

Is there any better way to do this?
Please suggest.

magnusbaeck · March 24, 2017, 5:59am

The translate filter should be helpful here.

anisen · March 24, 2017, 6:29am

Thanks a lot. Will try it out.

anisen · March 24, 2017, 11:20am

Tried and it served my purpose. Thanks again @magnusbaeck . This is exactly something I was looking for.

system · April 21, 2017, 11:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.