Conditional filtering not working in logstash

MiddlewareTeam · February 4, 2019, 8:02am

We have below setup in filebeat based on which we are using filtering in logstash but it is not working as expected.
Filebeat input:
<
-type: log
paths:

/app/logpath
fields:
log_type: apache_access
application: demo
sub_application: demo1
env: demo3
/>

based on above we have created conditional "if " filtering in logstash as below:
<
filter{
if [fields] [log_type] in ["apache_access"] and [fields] [application] == "demo" and [fields] [sub-application] == demo1 and [fields] [env] == demo3
grok{
......
}
}

output
{
...
}
/>

But above if is not working and its taking input from env demo4 as well. Also it never follows the grok filter when using if statement.

Can anyone please help what are we missing here please?

guyboertje · February 4, 2019, 2:27pm

Using the output stdout { codec => rubydebug } what does the doc received from beats look like?

MiddlewareTeam · February 5, 2019, 10:50am

It receives the output as per the filter if we don't use below conditional filter
<
[fields] [log_type] in ["apache_access"] and [fields] [application] == "demo" and [fields] [sub-application] == demo1 and [fields] [env] == demo3"
/>

but don't when use the conditional filtering instead it just prints the output as is coming from beat.

guyboertje · February 5, 2019, 11:48am

I think the conditional is wrong, the fields are not in the shape that you are expecting.

That is why I asked you to post output from stdout.
e.g. Something like:

{
     "log_event" => {
             "id" => "rtwert",
           "bank" => "yes",
           "proc" => nil,
          "count" => "5",
        "session" => "****",
    },
      "@version" => "1",
          "host" => "Elastics-MacBook-Pro.local",
       "message" => "blah bla blah",
      "sequence" => 0,
    "@timestamp" => 2019-02-05T11:31:45.347Z
}

MiddlewareTeam · February 5, 2019, 12:05pm

PFB output of the stdout.

I am using log_type in filter. Below is the setting I am using.

guyboertje · February 5, 2019, 12:22pm

Thanks.

I think the problem lies with the in operator.
It has two modes.
Substring containment mode and Array containment mode.
The mode used depends on the LHS vs RHS.
If the field accessor pattern is on the LHS then it is in Array containment mode.
If a String constant is on the LHS then it is in String containment mode.

if "foo" in [field] {
  # executed if the value in [field] contains the string "foo"
}

if [field] in ["foo", "bar", "baz"] {
  # executed if the value in [field] is exactly one of the Array elements "foo" or "bar" or "baz"
}

MiddlewareTeam · February 5, 2019, 3:03pm

Thanks for you reply.

I have tried both scenarios like below:
<
if "uat01" in [env] {
grok filter
}
/>

<
if [env] in ["uat01"] {
grok filter
}
/>

and both time it skips the grok pattern and printed logs as is.

Badger · February 5, 2019, 3:04pm

It should be [fields][env], not just [env].

MiddlewareTeam · February 6, 2019, 7:57am

Hi Badger,

It tried the same as well. PFB conditional input field and output for the same.

Still no go!

guyboertje · February 6, 2019, 10:38am

Please double check all your strings and field names in the conditional statements.
In your first post you have:
if [fields] [log_type] in ["apache_access"] and [fields] [application] == "demo" and [fields] [sub-application] == demo1 and [fields] [env] == demo3

Was this copied and pasted from you actual config or re-typed in to the post?
There are problems with it as seen above which will give syntax errors.

There should be no space between nested field brackets [fields][log_type] not [fields] [log_type], this does not compile.
You put demo1 and demo3 in without quotes. These are called "barewords" in the syntax. This does compile but hides the intention of what you are doing. You should use quotes consistently.
You specify [fields] [sub-application] but later, if we squint hard at the images, we see it should be [fields][sub_application], with an underscore.

I'd like to give you some words of advice.

I have been through your posts from Elasticsearch through Kibana and then here. Regarding the Logstash ones, @Badger and I have helped you solve three problems. You seem quick to fire off a question using either a hypothetical scenario or a config snippet that may or may not be the actual running config without showing samples of the incoming event/doc or the desired outgoing event/doc. Be aware that some people helping on this forum are volunteers, Badger is one (and doing a great job and would be tragic if he went away), so please try to work methodically, with precision and provide actual config and redacted text based samples of the incoming event and the outgoing event in the shape you need (adjust the config to suit if redacting the sample).

That said, here are examples of a variety of solutions that work on 5.6.4, 6.6.0 and 7.0.0-SNAPSHOT in ruby execution mode and java execution mode.

input {
  generator {
    lines => [
      '{"fields":{"env":"uat01","log_type":"apache_access_uat01","application":"lnp","sub_application":"foo"},"access_response-time":"21","access_response-code":"200","access_response-size":"34183"}',
      '{"fields":{"env":"prod42","log_type":"apache_access_prod","application":"lnp","sub_application":"bar"},"access_response-time":"13","access_response-code":"200","access_response-size":"4000"}'
    ]
    count => 1
  }
}

filter {
  json {
    source => "[message]"
    remove_field => ["[message]"]
  }
  if [fields][log_type] =~ /^apache_access/ and [fields][application] == "lnp" and [fields][sub_application] == "foo" and [fields][env] == "uat01" {
    mutate {
      add_tag => ["regex-conditional"]
    }
  }
  if "apache_access_prod" in [fields][log_type] and [fields][application] == "lnp" and [fields][sub_application] == "bar" and [fields][env] == "prod42" {
    mutate {
      add_tag => ["in-conditional"]
    }
  }
}

output {
  stdout { codec => rubydebug }
}

Gives:

{
                "sequence" => 0,
    "access_response-size" => "34183",
              "@timestamp" => 2019-02-06T09:53:40.974Z,
                    "tags" => [
        [0] "regex-conditional"
    ],
                "@version" => "1",
    "access_response-code" => "200",
    "access_response-time" => "21",
                    "host" => "Elastics-MacBook-Pro.local",
                  "fields" => {
            "application" => "lnp",
                    "env" => "uat01",
               "log_type" => "apache_access_uat01",
        "sub_application" => "foo"
    }
}
{
                "sequence" => 0,
    "access_response-size" => "4000",
              "@timestamp" => 2019-02-06T09:53:41.000Z,
                    "tags" => [
        [0] "in-conditional"
    ],
                "@version" => "1",
    "access_response-code" => "200",
    "access_response-time" => "13",
                    "host" => "Elastics-MacBook-Pro.local",
                  "fields" => {
            "application" => "lnp",
                    "env" => "prod42",
               "log_type" => "apache_access_prod",
        "sub_application" => "bar"
    }
}

MiddlewareTeam · February 6, 2019, 11:11am

Thank you all for your prompts replies and help in the post!

You can refer to latest update by me which is having all the details you were seeking to help! I will still try to get to the depth of issue I am facing based the response and inputs you shared and update here.

I really appreciate your words of advice but not sure why do you think that I am blindly sending questions or hypothetically creating posts but to be frank this all are running setup I am using for our one of the customer. Only thing that is bothering me here is if condition which is not working properly. This is the first time we are trying to install and configure ELK in our environment and as newbies we have questions which we are posting here without any personal agenda. Still apology if any words or post causes inconvenience to you all.

guyboertje · February 6, 2019, 12:21pm

I understand that you may not have experience of ELK, that is fine.

The advice I gave is not to criticise you or your knowledge, it is meant to guide you on how to prepare your questions and answers to get to a solution with the least amount of back and forth questions before a full idea of the problem is understood.

It is not always easy for us to keep track of the state of 5-15 unsolved questions across several days across all the various technologies (jdbc, grok, tcp, netflow, AWS, ssh certs, mongodb, elasticsearch, monitoring, lookups etc.). Logstash is a complex tool (with quirks) and it is difficult to fully master.

I'm very sure you do not intend to make it trickier for us to help you and that is the position we take for all forum users. The advice is given because I suspect that you will have more questions as you work to find a solution for your customer(s), again fine, and so not a one-off post user for whom the giving of this advice would not make sense.

MiddlewareTeam · February 6, 2019, 12:27pm

Thanks guyboertje,

I have marked this thread as resolved now.

I had given unnecessary square bracket after giving required data which was causing issue.

system · March 6, 2019, 12:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.