Conditional Filter issue

Elastic Stack Logstash
1

I have this filter in the config file, i trying to validate it using in build test config functionality. I am getting error.

filter {
  if( "Network Login" in [message]){
    if("caps_fail" in [message]){
      grok{
        match =>{"message" => "%{TIMESTAMP_ISO8601:timeStamp}"}
      }
    }else{
      grok{
        match =>{"message" => "%{TIMESTAMP_ISO8601:timeStamp}"}
      }
    }
#outer else
  }else{
    grok{
      match =>{"message" => "%{TIMESTAMP_ISO8601:timeStamp"}
    }
  }

I cut shot the grok patterns. I tested these patterns in the debugger before putting them here.
Here is the error message after running : /bin/logstash --config.test_and_exit -f logstash.conf

[FATAL] 2020-04-14 13:01:56.137 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of [ \t\r\n], "#", "{", "}" at line 20, column 17 (byte 1279) after filter {
 if( "Network Login" in [message]){
   if("caps_fail" in [message]){
     grok{
       match =>{"message" => "%{TIMESTAMP_ISO8601:timeStamp}"}
     }
   }else{
     grok{
       match =>{"message" => "%{TIMESTAMP_ISO8601:timeStamp}"}
     }
   }
#outer else
 }else{
   grok{
     match =>{"
[ERROR] 2020-04-14 13:01:56.140 [LogStash::Runner] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

I am trying to extract data based on strings present in the log and trying to use nested if statements. I still want to next three if statements. Not able to figure out what is wrong. Please help, Thanks

2

Hi there,

first of all you missed the } closing the filter section. Anyway, can you post here your whole pipeline and a sample of input event, too?

3

Thanks, You are right, it just missing }. thanks

4

No problem :wink:

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.