Can I use pattern in Logstash output plugin

Rakhshunda_Noorein_J · January 6, 2023, 7:26am

Hello,
I want to track all the failures log in a file.
For Example,

	if "_jsonparsefailure" in [tags] {
		file {
			path => "_jsonparsefailure.txt"
		}
	}

Can I use pattern like - if "*failure*" in [tags]

so that I track all types of failure???

hendry.lim · January 6, 2023, 10:42am

Yes, you can.

Rakhshunda_Noorein_J · January 6, 2023, 1:51pm

Thank You

Badger · January 6, 2023, 5:41pm

No, that does not work. If you run logstash with

input { generator { count => 1 lines => [ 'foo' ] codec => json } }
output { stdout { codec => rubydebug { metadata => false } } }
filter { if "*failure*" in [tags] { mutate { add_field => { "matched" => true } } } }

then the event will have a _jsonparsefailure tag, but will not have a [matched] field. You can use

if [tags][0] =~ ".*failure.*" { ...

but that only checks the first entry in the tags array.

hendry.lim · January 9, 2023, 3:50am

Ah, I see that you were trying to pattern match. Yup, as Badger mentioned, that won't be possible. You will have to iterate through the tags array (if it is an array) in ruby filter and then add the field/flag separately.

Rakhshunda_Noorein_J · January 9, 2023, 5:53am

Ok got the solution. Thank You.

Rakhshunda_Noorein_J · January 9, 2023, 5:54am

Thank you for your solution.

Rakhshunda_Noorein_J · January 9, 2023, 10:30am

Hello Badger,

How can I iterate through tags in my output plugin.. Is there are any ways.. Can you Please provide me with..
I want to do something like this....

output {
	[tags].each_index { |x|
		if [tags][x] =~ ".*failure.*" 
		{
			elasticsearch {
			hosts => ["myhost"]
			user => "username"
			password => "password"
			index => "error-log"
		         }	
		}
	}
}

this is giving error in config..

leandrojmp · January 9, 2023, 12:07pm

This is not possible, that's why you are getting an error in config.

Rakhshunda_Noorein_J · January 9, 2023, 12:42pm

Is there an alternative to do that???
If i want to do a for each loop in filter with ruby filter, can you please provide me with the proper syntax

leandrojmp · January 9, 2023, 12:49pm

You can't do that in the output the only thing that you can use in output are simple conditionals.

You may use a ruby filter in the filter section to do that, but I do not have any code example, you may find a couple in the search of the forum.

Badger · January 9, 2023, 5:40pm

Use a ruby filter in the filter section

    ruby {
        code => '
            fail = false
            tags = event.get("tags")
            tags.each { |v|
                if v =~ /failure$/
                    fail = true
                end
            }
            event.set("[@metadata][failureTag]", fail)
        '
    }

and then test [@metadata][failureTag] in the output section.

Rakhshunda_Noorein_J · January 10, 2023, 7:30am

Thank You so much badger. It worked as I wanted. I really appreciate your effort. Thank you

system · February 7, 2023, 7:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.