Checking if an nested field which is an array contains a value

Ramdev_Wudali · July 14, 2016, 7:50pm

Hi:
I am trying to check if a nested field in the input can be used for conditional checks and how to do it:
here is an example logstash config :

input {
  generator {
    message => '{"metadata": { "origins": [ "192.168.50.91" ] }}'
    codec => "json"
    count => 1
  }
}

filter {
  if [metadata][origins] =~ /192\.168\.50\.91/ {
    mutate {
      add_field => [ "router.cisco.hostname", "foo" ]
    }
  }
}

output {
  stdout { codec => rubydebug }
}

In the above config, I want to be able to check if metadata.origins has a value. However upon running this, I do not get the desired output instead I get this :
{
"metadata" => {
"origins" => [
[0] "192.168.50.91"
]
},
"@version" => "1",
"@timestamp" => "2016-07-14T19:48:05.579Z",
"host" => "u0102180-maca.ten.thomsonreuters.com",
"sequence" => 0
}

instead of getting the additional field : "router.cisco.hostname" => "foo"
added to the output.

what is wrong with the configuration. (its an array because there could be multiple entries in the origins array.

Thanks

Ramdev

magnusbaeck · July 15, 2016, 5:49am

I think either of these will work:

if [metadata][origins][0] == "192.168.50.91" {
if "192.168.50.91" in [metadata][origins] {

The second looks at all elements of the array which is probably what you want to do. I dropped the also regexp in favor of a normal equality condition.