Conditional expression to test for a list of possible partial matches in a string

Elastic Stack Logstash
1

I want to select and output only the uncommon messages in a log, based on a partial match (the beginning of the message).

I can filter out one message like so

output {
  if "foo" not in [msg] {

But if it try to match [msg] against multiple options like this

output {
  if ["this", "that", "uninteresting", "boring", "yawn"] not in [msg] {

I get an error:

TypeError: no implicit conversion of Array into String

If I invert the syntax,

output {
  if [msg] not in ["this", "that", "received", "sent", "yawn"] {

I get no error, but also no filtering.

If I try the regexp operator,

output {
  if [msg] !~ ["this", "that", "received", "sent", "yawn"] {

or

output {
  if ["this", "that", "received", "sent", "yawn"] !~ [msg] {

I get a really long and ugly error about

Expected one of #, ", ', / at line 14, column 15 (byte 202) after output {\n if [msg] !~

And again no filtering.

What would be the correct way to check if any one of a list of words/strings exists in another string? Do I have to daisy chain every single comparison with OR operators?

1 Like
2

Yes, but in a regexp that is concise. Using ^ to anchor at the beginning...

if [msg] =~ /^(this|that|received|sent|yawn)/ {
1 Like
3

Thanks for the reply! But why the // to enclose the regexp instead of ""?

The example here
https://www.elastic.co/guide/en/logstash/current/config-examples.html#using-conditionals
uses "".

Cheers.

1 Like
4

=~ matches against a regexp, so I choose to use the ruby syntax for a regex (i.e. /string/). Logstash is good about converting types if the interpretation of what you give it is unambiguous.

Similarly, lots of filter options that take arrays will accept hashes, and hashes may accept arrays. I guess if somehash.to_a returns an array the filter can work with then it does not complain.

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.