Check if string is in field

Automation_Scripts · April 7, 2021, 2:00pm

Hi,

I need some help checking if a string is contained within the value of a field.

my json has a key
"log.file.path.keyword":["myfolder/mypath/mylog.log"

I tried to parse it with

filter{
if "mylog.log" in [log.file.path.keyword] {do something{}}
}

I tried also with

filter{
if "mylog.log" in [log][file][path][keyword] {do something{}}
}

In the table view I can see it named as log.file.path with the right value, but under that value there is a field called "Multi fields" with a log.file.path.keyword item having the same value as above.
Is this correct? How can i parse it correctly?

Thank you!

Badger · April 7, 2021, 2:34pm

keyword is an elasticsearch construct, it does not exist in logstash. Use

if "mylog.log" in [log][file][path] {do something{}}

Automation_Scripts · April 7, 2021, 5:15pm

Thank you Badger! Still doesn’t seem to find the string. In discover the field name is “log.file.path” should I try [log.file.path] ?

Badger · April 7, 2021, 5:33pm

If you expand an event in the Kibana discover interface and click on the JSON tab, what does that field look like?

Automation_Scripts · April 7, 2021, 5:55pm

It has

“fields”:{
 ...
 “log.file.path”:[“mydirs/mydir/myfile.log”],
“agent.type”: [“filebeat”]
...
}

Automation_Scripts · April 7, 2021, 5:58pm

What is strange is that there is no tag field

Automation_Scripts · April 7, 2021, 6:07pm

When i do

If ![local][file][path]{
  mutate {add_field => {“myfield” => “notthere”}}}

I receive an extra field with the value not there

Automation_Scripts · April 7, 2021, 6:20pm

The field log.file.path is visible under available fields also

Badger · April 7, 2021, 6:33pm

That is an array. Use

if "mylog.log" in [log][file][path][0] {do something{}}

Automation_Scripts · April 7, 2021, 7:20pm

Man u rock! You’re really awesome!!!

system · May 5, 2021, 7:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.