Check if string is in field

Elastic Stack Logstash
1

Hi,

I need some help checking if a string is contained within the value of a field.

my json has a key
"log.file.path.keyword":["myfolder/mypath/mylog.log"

I tried to parse it with

filter{
if "mylog.log" in [log.file.path.keyword] {do something{}}
}

I tried also with

filter{
if "mylog.log" in [log][file][path][keyword] {do something{}}
}

In the table view I can see it named as log.file.path with the right value, but under that value there is a field called "Multi fields" with a log.file.path.keyword item having the same value as above.
Is this correct? How can i parse it correctly?

Thank you!

2

keyword is an elasticsearch construct, it does not exist in logstash. Use

if "mylog.log" in [log][file][path] {do something{}}
1 Like
3

Thank you Badger! Still doesn’t seem to find the string. In discover the field name is “log.file.path” should I try [log.file.path] ?

4

If you expand an event in the Kibana discover interface and click on the JSON tab, what does that field look like?

5

It has

“fields”:{
 ...
 “log.file.path”:[“mydirs/mydir/myfile.log”],
“agent.type”: [“filebeat”]
...
}
6

What is strange is that there is no tag field

7

When i do

If ![local][file][path]{
  mutate {add_field => {“myfield” => “notthere”}}}

I receive an extra field with the value not there
:innocent:

8

The field log.file.path is visible under available fields also

9

That is an array. Use

if "mylog.log" in [log][file][path][0] {do something{}}
10

Man u rock! You’re really awesome!!!

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.