Can I use pattern in Logstash output plugin

Rakhshunda_Noorein_J · January 6, 2023, 7:26am

Hello,
I want to track all the failures log in a file.
For Example,

	if "_jsonparsefailure" in [tags] {
		file {
			path => "_jsonparsefailure.txt"
		}
	}

Can I use pattern like - if "*failure*" in [tags]

so that I track all types of failure???

hendry.lim · January 6, 2023, 10:42am

Yes, you can.

Rakhshunda_Noorein_J · January 6, 2023, 1:51pm

Thank You

Badger · January 6, 2023, 5:41pm

No, that does not work. If you run logstash with

input { generator { count => 1 lines => [ 'foo' ] codec => json } }
output { stdout { codec => rubydebug { metadata => false } } }
filter { if "*failure*" in [tags] { mutate { add_field => { "matched" => true } } } }

then the event will have a _jsonparsefailure tag, but will not have a [matched] field. You can use

if [tags][0] =~ ".*failure.*" { ...

but that only checks the first entry in the tags array.

hendry.lim · January 9, 2023, 3:50am

Ah, I see that you were trying to pattern match. Yup, as Badger mentioned, that won't be possible. You will have to iterate through the tags array (if it is an array) in ruby filter and then add the field/flag separately.

Rakhshunda_Noorein_J · January 9, 2023, 5:53am

Ok got the solution. Thank You.

Rakhshunda_Noorein_J · January 9, 2023, 5:54am

Thank you for your solution.

Rakhshunda_Noorein_J · January 9, 2023, 10:30am

Hello Badger,

How can I iterate through tags in my output plugin.. Is there are any ways.. Can you Please provide me with..
I want to do something like this....

output {
	[tags].each_index { |x|
		if [tags][x] =~ ".*failure.*" 
		{
			elasticsearch {
			hosts => ["myhost"]
			user => "username"
			password => "password"
			index => "error-log"
		         }	
		}
	}
}

this is giving error in config..

leandrojmp · January 9, 2023, 12:07pm

This is not possible, that's why you are getting an error in config.

Rakhshunda_Noorein_J · January 9, 2023, 12:42pm

Is there an alternative to do that???
If i want to do a for each loop in filter with ruby filter, can you please provide me with the proper syntax

leandrojmp · January 9, 2023, 12:49pm

You can't do that in the output the only thing that you can use in output are simple conditionals.

You may use a ruby filter in the filter section to do that, but I do not have any code example, you may find a couple in the search of the forum.

Badger · January 9, 2023, 5:40pm

Use a ruby filter in the filter section

    ruby {
        code => '
            fail = false
            tags = event.get("tags")
            tags.each { |v|
                if v =~ /failure$/
                    fail = true
                end
            }
            event.set("[@metadata][failureTag]", fail)
        '
    }

and then test [@metadata][failureTag] in the output section.

Rakhshunda_Noorein_J · January 10, 2023, 7:30am

Thank You so much badger. It worked as I wanted. I really appreciate your effort. Thank you

Topic		Replies	Views
How to catch errors in output plugin? Logstash	2	3282	July 6, 2017
Logstash elasticsearch output plugin filtering Logstash	8	850	May 7, 2018
Logstash custom pattern not working Logstash	6	478	October 14, 2019
Logstash does not parse if 'if' condition change Logstash	6	292	September 21, 2022
Insert tags input beats in logstash not work Logstash	1	976	March 16, 2018

Can I use pattern in Logstash output plugin

Related topics