Can you do Or statments in a filter?


(Jason) #1

So I have two firewalls and a filter setup to process with a "if [host]" check is met. Is there a way to something like:

if [host] =~ /192\.168\.100\.1/  OR  /192\.168\.100\.2/ {

}

(Magnus B├Ąck) #2

Yes you can:

if [host] =~ /192\.168\.100\.1/ or [host] =~ /192\.168\.100\.2/ {

Better:

if [host] =~ /^192\.168\.100\.[12]$/ {

The syntax for conditionals is documented: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html


(system) #3