Conditional apply of filter

Jimmy_Shephard · October 20, 2016, 7:13pm

Hi,

Trying to parse different kinds of log files and output to ES but seems like the condition gets ingnored by logsash when applying filters and I get some error. Any ideas what could be going wrong?

this is the structure of my config file

if [type] == "type1" {
json {

    }                                                                                                                                                                                                                                                                                             
                                                                                                                                                                                                                                                                           
} else if [type] == "type2"  {                                                                                                                                                                                                                     
    grok {                                                                                                                                                                                                                                                                                        
    
 }                                                                                                                                                                                                                                                                                        
}else if [type] == "type3"{                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                                                  
    csv {                                                                                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                      
    }                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                                                  
}

I get grock parse errors for files of type3 though im not applying grok filter to the type.

magnusbaeck · October 21, 2016, 5:56am

Do you have multiple files in /etc/logstash/conf.d? Is there an unconditional grok filter in one of the other files?

Jimmy_Shephard · October 21, 2016, 3:21pm

Yes I do have multiple files in the conf.d. dir. Looked at all but grok was being applied conditionally there too. Seems like just a tag though. Able to see actual problem in the log though, mapper parsing exception
Still trying to figure that

Jimmy_Shephard · October 26, 2016, 10:34pm

Eventually found rogue grok filters in other files. Thanks