Can I use pattern in Logstash output plugin

Elastic Stack Logstash
1

Hello,
I want to track all the failures log in a file.
For Example,

	if "_jsonparsefailure" in [tags] {
		file {
			path => "_jsonparsefailure.txt"
		}
	}

Can I use pattern like - if "*failure*" in [tags]

so that I track all types of failure???

2

Yes, you can.

1 Like
3

Thank You

1 Like
4

No, that does not work. If you run logstash with

input { generator { count => 1 lines => [ 'foo' ] codec => json } }
output { stdout { codec => rubydebug { metadata => false } } }
filter { if "*failure*" in [tags] { mutate { add_field => { "matched" => true } } } }

then the event will have a _jsonparsefailure tag, but will not have a [matched] field. You can use

if [tags][0] =~ ".*failure.*" { ...

but that only checks the first entry in the tags array.

1 Like
5

Ah, I see that you were trying to pattern match. Yup, as Badger mentioned, that won't be possible. You will have to iterate through the tags array (if it is an array) in ruby filter and then add the field/flag separately.

6

Ok got the solution. Thank You.

1 Like
7

Thank you for your solution.

1 Like
8

Hello Badger,

How can I iterate through tags in my output plugin.. Is there are any ways.. Can you Please provide me with..
I want to do something like this....

output {
	[tags].each_index { |x|
		if [tags][x] =~ ".*failure.*" 
		{
			elasticsearch {
			hosts => ["myhost"]
			user => "username"
			password => "password"
			index => "error-log"
		         }	
		}
	}
}

this is giving error in config..

1 Like
9

This is not possible, that's why you are getting an error in config.

10

Is there an alternative to do that???
If i want to do a for each loop in filter with ruby filter, can you please provide me with the proper syntax

11

You can't do that in the output the only thing that you can use in output are simple conditionals.

You may use a ruby filter in the filter section to do that, but I do not have any code example, you may find a couple in the search of the forum.

12

Use a ruby filter in the filter section

    ruby {
        code => '
            fail = false
            tags = event.get("tags")
            tags.each { |v|
                if v =~ /failure$/
                    fail = true
                end
            }
            event.set("[@metadata][failureTag]", fail)
        '
    }

and then test [@metadata][failureTag] in the output section.

3 Likes
13

Thank You so much badger. It worked as I wanted. I really appreciate your effort. Thank you

1 Like
14

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.