First, I would like to apologize if I do not add enough data but can add more if needed.
I have created logstash filters to check if the source has the source IP in it. (ex. /var/log/XX.XX.XX.XX/*.log) but I am running into an issue where it matches multiple IP addresses.
This will end up matching with others which have similar Ip address such as /XX.XX.XX.46/. So anything in the 40s would match the .4 and be tagged. I have tried == instead of =~ but that did not work.
Is there a way to have the filter specifically equal the IP and not get tagged to others?
When I tried the last example provided, I get a syntax error when testing config.
SyntaxError: (eval):7704: syntax error, unexpected null
if (((event.get("[source]") =~ ///XX.XX.XX.8///))) # if [source] =~ "//XX.XX.XX.8//"
^
eval at org/jruby/RubyKernel.java:1079
initialize at /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:65
execute at /usr/share/logstash/logstash-core/lib/logstash/runner.rb:252
run at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67
run at /usr/share/logstash/logstash-core/lib/logstash/runner.rb:183
run at /usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132
(root) at /usr/share/logstash/lib/bootstrap/environment.rb:71
I left in a double quote that shouldn't have been there. I've edited my post to reflect this. It seems you're using double quotes on both sides of the expression. Don't do that.
The error message indicates that the `source' field is unset. Are you sure it's set?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.