Check for more than one text from the grok filtered message?

Elastic Stack Logstash
1

I'm trying to find two log types from every single line of the log file, and if it match i'm assigning a log type to it by adding a log_type field.

This is a piece of snippet from the logstash config:

    filter {
    		
    		grok {
    			patterns_dir => ["/home/chamith/work/ELK/logstash/logstash-2.3.4/bin/patterns"]
    			match => { "message" => "^%{LOGTIMESTAMP:logtimestamp}%{GREEDYDATA}" }	
    		}
    		
                mutate {
    			add_field => { "log_type" => "" }
    		}
    		
    		if "Auth" and "CHARGE_EXCEEDS_LIMIT" in ["message"]{
    			mutate {
    				add_field => { "log_type" => "Auth CHARGE_EXCEEDS_LIMIT" }
    			}
    		
    		}
    		
    		if "Auth" and "INSUFFICIENT_FUNDS" in ["message"]{
    			mutate {
    				add_field => { "log_type" => "Auth INSUFFICIENT_FUNDS" }
    			}
    		
    		}

After trying this, when i checked it from Kibana, nothing has been assigned to the new field log_type, even though it has been created.

Sketch.png1856×1044 364 KB

Where am i going wrong? Any help would be appreciated.

2 
if "Auth" and "CHARGE_EXCEEDS_LIMIT" in ["message"]{

If this is supposed to mean "if the message field contains both 'Auth' and 'CHARGE_EXCEEDS_LIMIT'" you need to write it like this:

 if "Auth" in [message] and "CHARGE_EXCEEDS_LIMIT" in [message] {
1 Like
3

Thanks, it works! :slight_smile: