Hello,
I have a pipeline on logstash where I receive messages from network devices (firewalls), parse the message using grok patterns and store them in elasticsearch.
I have three different models which I parse some kinds of messages that they send, other kind of messages I'm not done configuring the grok pattern, so I add a tag on them and store in another index.
For each device I have a tag, for example, "device01", "device02" and "device03", and another tag for the messages that do not match on grok, like "device-temp", and all the devices have the same type, for example "firewall".
On my pipeline I have a excluding conditional, for using the mutate filter, the conditional is as below:
if "device-temp" not in [tags] and [type] == "firewall" {
mutate { things to mutate }
}
This conditional works fine, but now I'm trying to change it to a including conditional, I tried the below configuration, but it did not work:
if [tags] in ["device01", "device02", "device03"] and [type] == "firewall" {
mutate { things to mutate }
}
How can I do something like this? Do I need to use an or for each conditional? Like below:
if "device01" in [tags] or "device02" in [tags]
I'm using Logstash 5.4.3