Can a dissect processor have a condition?

geoffreyphippsuw · July 24, 2020, 11:41pm

Our EFK stack is receiving logs from several different kubernetes containers and other sources that use differing log patterns. I have created a dissect processor that can extract certain fields from the message field. But I need a different grok pattern for each kind of container. I decided to use a condition, like so:

processors:
  - dissect:
      when:
        contains:
          container.name: "jobmon" 
      tokenizer:  "%{LOGLEVEL:log.level}:%{GREEDYDATA:package}:%{GREEDYDATA:details}"
      field: "message"
      target_prefix: "python"

But I get yaml parse errors on the "when" condition. It works without the when clause.
This is using elasticsearch 7.8

Is this possible? Is there a better way?

Thanks
Geoff

geoffreyphippsuw · July 25, 2020, 12:44am

Hmm, I might have fixed it, there was an extra line I had missed.

system · August 22, 2020, 2:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ingest pipeline dissect processor Elasticsearch	1	344	July 12, 2020
Ingest pipeline should work based on conditions Elasticsearch	2	367	July 18, 2020
Grok filter issue with data on Logstah config Logstash	4	307	June 7, 2019
Optional field in dissect plugin Logstash	2	2852	October 31, 2018
Issector mapping, pattern not found error in Logstash Logstash	3	561	January 15, 2022

Can a dissect processor have a condition?

Related Topics