Conditional filtering by source with IP addresses

rayl7786 · March 13, 2017, 2:03pm

Hello,

First, I would like to apologize if I do not add enough data but can add more if needed.

I have created logstash filters to check if the source has the source IP in it. (ex. /var/log/XX.XX.XX.XX/*.log) but I am running into an issue where it matches multiple IP addresses.

if [source] =~ /XX.XX.XX.4/ {
mutate {
add_tag => ["HOSTNAME"]
}
}

This will end up matching with others which have similar Ip address such as /XX.XX.XX.46/. So anything in the 40s would match the .4 and be tagged. I have tried == instead of =~ but that did not work.

Is there a way to have the filter specifically equal the IP and not get tagged to others?

Let me know if any other information is needed.

magnusbaeck · March 14, 2017, 6:39am

If you're looking for equality don't use a regular expression.

if [source] == "XX.XX.XX.4" {

rayl7786 · March 14, 2017, 12:12pm

Thank you, I will try this way. I didn't think it would work since the source actually equals /var/log/xx.xx.xx.4/[date].log

I will update to see how it goes.

magnusbaeck · March 14, 2017, 5:36pm

Oh, sorry. Then you indeed need a regular expression but you need to make it more exact, e.g. like this:

if [source] =~ /\/XX\.XX\.XX\.4\// {

(Note how slashes inside the expression need to be escaped.)

rayl7786 · March 14, 2017, 1:04pm

When I tried the last example provided, I get a syntax error when testing config.

SyntaxError: (eval):7704: syntax error, unexpected null
if (((event.get("[source]") =~ ///XX.XX.XX.8///))) # if [source] =~ "//XX.XX.XX.8//"
^
eval at org/jruby/RubyKernel.java:1079
initialize at /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:65
execute at /usr/share/logstash/logstash-core/lib/logstash/runner.rb:252
run at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67
run at /usr/share/logstash/logstash-core/lib/logstash/runner.rb:183
run at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132
(root) at /usr/share/logstash/lib/bootstrap/environment.rb:71

magnusbaeck · March 14, 2017, 2:10pm

I left in a double quote that shouldn't have been there. I've edited my post to reflect this. It seems you're using double quotes on both sides of the expression. Don't do that.

The error message indicates that the `source' field is unset. Are you sure it's set?

rayl7786 · March 14, 2017, 5:36pm

After removing the double quotes, it looks to be working as expected. Thank you for everything!

system · April 11, 2017, 5:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.