Conditional apply of filter

Jimmy_Shephard · October 20, 2016, 7:13pm

Hi,

Trying to parse different kinds of log files and output to ES but seems like the condition gets ingnored by logsash when applying filters and I get some error. Any ideas what could be going wrong?

this is the structure of my config file

if [type] == "type1" {
json {

    }                                                                                                                                                                                                                                                                                             
                                                                                                                                                                                                                                                                           
} else if [type] == "type2"  {                                                                                                                                                                                                                     
    grok {                                                                                                                                                                                                                                                                                        
    
 }                                                                                                                                                                                                                                                                                        
}else if [type] == "type3"{                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                                                  
    csv {                                                                                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                      
    }                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                                                  
}

I get grock parse errors for files of type3 though im not applying grok filter to the type.

magnusbaeck · October 21, 2016, 5:56am

Do you have multiple files in /etc/logstash/conf.d? Is there an unconditional grok filter in one of the other files?

Jimmy_Shephard · October 21, 2016, 3:21pm

Yes I do have multiple files in the conf.d. dir. Looked at all but grok was being applied conditionally there too. Seems like just a tag though. Able to see actual problem in the log though, mapper parsing exception
Still trying to figure that

Jimmy_Shephard · October 26, 2016, 10:34pm

Eventually found rogue grok filters in other files. Thanks

Topic		Replies	Views
Conditionals in Grok filter for more than one log type Logstash	12	1182	October 25, 2017
Using conditionals to decide which logs to filter Logstash	3	346	October 3, 2019
Conditional Filter issue Logstash	4	314	May 14, 2020
Logstatsh Conditional Filter is not working Logstash elastic-stack-monitoring	3	300	April 19, 2022
Conditional Filter only grok IF Logstash	5	1225	October 4, 2018

Conditional apply of filter

Related topics