Conditional filtering by source with IP addresses


First, I would like to apologize if I do not add enough data but can add more if needed.

I have created logstash filters to check if the source has the source IP in it. (ex. /var/log/XX.XX.XX.XX/*.log) but I am running into an issue where it matches multiple IP addresses.

if [source] =~ /XX.XX.XX.4/ {
mutate {
add_tag => ["HOSTNAME"]

This will end up matching with others which have similar Ip address such as /XX.XX.XX.46/. So anything in the 40s would match the .4 and be tagged. I have tried == instead of =~ but that did not work.

Is there a way to have the filter specifically equal the IP and not get tagged to others?

Let me know if any other information is needed.

If you're looking for equality don't use a regular expression.

if [source] == "XX.XX.XX.4" {

Thank you, I will try this way. I didn't think it would work since the source actually equals /var/log/xx.xx.xx.4/[date].log

I will update to see how it goes.

Oh, sorry. Then you indeed need a regular expression but you need to make it more exact, e.g. like this:

if [source] =~ /\/XX\.XX\.XX\.4\// {

(Note how slashes inside the expression need to be escaped.)

When I tried the last example provided, I get a syntax error when testing config.

SyntaxError: (eval):7704: syntax error, unexpected null
if (((event.get("[source]") =~ ///XX.XX.XX.8///))) # if [source] =~ "//XX.XX.XX.8//"
eval at org/jruby/
initialize at /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:65
execute at /usr/share/logstash/logstash-core/lib/logstash/runner.rb:252
run at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67
run at /usr/share/logstash/logstash-core/lib/logstash/runner.rb:183
run at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132
(root) at /usr/share/logstash/lib/bootstrap/environment.rb:71

I left in a double quote that shouldn't have been there. I've edited my post to reflect this. It seems you're using double quotes on both sides of the expression. Don't do that.

The error message indicates that the `source' field is unset. Are you sure it's set?

After removing the double quotes, it looks to be working as expected. Thank you for everything!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.