Condition Section after Grok section not working

Athul_Devkar · August 16, 2021, 8:30pm

Hello Everyone!

I am trying to modify my pipeline to allow me to create few additional fields based on certain conditions. However, that section alone is not working and I don't see any errors in my log. I had used similar conditions before adding the Grok section and that time it had worked. Not sure what I am missing here. Any help is appreciated.

filter {
    json {
        source => message
        add_field => {
            "region" => "us-east-1" 
        }
    }
    if [message] =~ /Customer Type : ec/ {
    grok {
        match => {"message" => "Automation Type : %{DATA:AutomationTypeValue}, OrderSubmitRequest UtcTimeStamp : %{TIMESTAMP_ISO8601:timestamp}, AgentId : %{DATA:agentID}, Agent Email Address: %{DATA:agentEmail}, Division : %{DATA:Division}, Opportunity Number : %{DATA:OptyNum}, Data : %{DATA:DataFlag}, Voice : %{DATA:VoiceFlag}, Video : %{DATA:VideoFlag}, Smart Office : %{DATA:SOFlag}, Package Customer : %{DATA:PackageFlag}, Existing Services : %{DATA:ExistingService}, Account Number : %{NUMBER:AcctNumber}, Title Role: %{DATA:TitleRole}, Customer Type : %{DATA:CustomerType}, Source Type : %{DATA:SourceType}, FxBuyflowSessionId : %{DATA:SessionId}, Order Number : %{DATA:OrderNumber}, ExistingTotalMrc : %{NUMBER:ExistingTotalMRC:float}, NewTotalMrc : %{NUMBER:NewTotalMRC:float},  Correlation Id : %{NUMBER:CorrId} %{GREEDYDATA:message}"}        
    }
    }
	if ([message] =~ /Data : True/ and [message] =~ /Voice : False/ and [message] =~ /TV : False/ and [message] =~ /SO : False/) {
	 mutate {
        add_field => {"OrderLOB" => "BIOnly"}
    }}else if ([message] =~ /Data : True/ and [message] =~ /Voice : True/ and [message] =~ /TV : False/ and [message] =~ /SO : False/) {
	 mutate {
        add_field => {"OrderLOB" => "BI+BV"}
    }}else if ([message] =~ /Data : True/ and [message] =~ /Voice : True/ and [message] =~ /TV : True/ and [message] =~ /SO : False/) {
	 mutate {
        add_field => {"OrderLOB" => "BI+BV+BTV"}
    }}
    else {mutate {
        add_field => {"OrderLOB" => "None"}
    }}
}

Badger · August 16, 2021, 8:48pm

If the grok matches then [message] will be an array, so none of the rest of your references will work. You will need to change them to [message][0] if you want to match the original message, or [message][1] if you want what the GREEDYDATA at the end captured. Alternatively, use the overwrite option on the grok filter, or change the name of the capture for that GREEDYDATA.

Athul_Devkar · August 16, 2021, 9:07pm

Ahhh makes sense. Didn't notice that. Changed the name of GREEDYDATA and now the first condition works. Thanks you so much!!

However, the else conditions don't work. Even If I change the 2nd 'else if' condition to just new 'if'

if ([message] =~ /Data : True/ and [message] =~ /Voice : False/ and [message] =~ /TV : False/ and [message] =~ /SO : False/) {
	 mutate {
        add_field => {"OrderLOB" => "BIOnly"}
    }}
if ([message] =~ /Data : True/ and [message] =~ /Voice : True/ and [message] =~ /TV : False/ and [message] =~ /SO : False/) {
	 mutate {
        add_field => {"OrderLOB" => "BI+BV"}
    }}

Badger · August 16, 2021, 9:13pm

The second mutate requires all four patterns to match. I would suggest that if the mutate is not happening then one of the patterns does not match. Try splitting it into 4 and see if all four mutates happen.

Athul_Devkar · August 16, 2021, 9:28pm

I was adding the value to a different field. It's all good now.

Thanks again!! Appreciate the quick help!

system · September 13, 2021, 9:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.