Good day,
I am trying to find the most efficient way in Logstash filters to say "if field X is one of these dozens/hundreds/thousands of values do something".
For instance, I have multiple log sources (Windows logs, firewall logs, etc.) where I have a field and want to match something.
Here are some specific examples:
- I want to do a mutate if a Windows Event ID is equal to one of dozens of values (4624, 4625, etc.)
- I want to perform a mutate on an IP address from a firewall log if the IP address matches one of several thousand IPs
- I am trying to mutate an entry when a fields string value matches one of several dozen strings
In the past if it was only a few values I would do a filter similar to this:
if [winlog][event_id] == 4624 or [winlog][event_id] == 4625 or [winlog][event_id] == 4720 or [winlog][event_id] == 5136 or [winlog][event_id] == 4744 {
mutate { add_tag => ['tag_name_here'] }
}
However, that solution doesn't scale very well and I am sure there is a better way but google fu isn't leading me to a good answer. Sorry if I missed it.
Any suggestions?
Thanks!