Hi, I am trying to make an if contains /else dissect statement. But I can't really figure it out. This is because a log file contains an extra '|' inside a wanted field. For example 'type|timestamp|IP[xx.xx| port]|-' and I want to ignore the | in between the ip and port. Note this is just a fast example.
My idea was to do this by using a if else and when this is present use a different dissect method.
This is what I have:
Error: 'Exiting: Failed to start crawler: starting input failed: Error while initializing input: missing or invalid condition'
Note: for now the dissects are the same
processors:
- if:
contains.message: 'path:[IP'
then:
- dissect:
tokenizer: "%{service.type}|%{ID}|%{@timestamp}|%{time}|%{log.level}|%{file.path}|%{function}|%{message}|%{details}"
field: "message"
target_prefix: "logdata"
else:
- dissect:
tokenizer: "%{service.type}|%{ID}|%{@timestamp}|%{time}|%{log.level}|%{file.path}|%{function}|%{message}|%{details}"
field: "message"
target_prefix: "logdata"
I hope this explains my problem enough, thanks for reading!