Condition check eror

shijinbose · March 22, 2017, 6:54am

Hi,
I am trying to filter out "Error" from the message tag,

input {
 tcp {
 port => 5000
type => syslog
     }
 udp {
port => 5000
type => syslog
     }
}

filter
{
    grok
    {
            match => { "message" => "%{WORD:error} %{WORD:method}" }
    }
            if [error] =~ /Error/ {
                method => "Error Found"
    }
}

output {
 elasticsearch { hosts => ["localhost:9200"] }
file {
    path => "/root/Logger/logstash-5.2.2.log"
    codec => rubydebug
}
stdout { codec => rubydebug }
}

if the error pattern = "error" then i want to change the value of method to "Error Found"
this code give me the error like this
"Cannot load an invalid configuration {:reason=>"Expected one of #, { at line 19, column 11 (byte 226) after filter \n{\n\tgrok \n\t{\n\t\tmatch => { "message" => "%{WORD:error} %{WORD:method}" }\n\t}\n\t\tif [error] =~ /Error/ {\n\t\t\tmethod "}"

magnusbaeck · March 22, 2017, 7:07am

To change a field value use a mutate filter. I think its replace option is what you need in this case.

shijinbose · March 22, 2017, 7:18am

 mutate {
                     replace => { "method" => "Error Found" }
}

Thank you @magnusbaeck it works

system · April 19, 2017, 7:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.