Please double check all your strings and field names in the conditional statements.
In your first post you have:
if [fields] [log_type] in ["apache_access"] and [fields] [application] == "demo" and [fields] [sub-application] == demo1 and [fields] [env] == demo3
Was this copied and pasted from you actual config or re-typed in to the post?
There are problems with it as seen above which will give syntax errors.
- There should be no space between nested field brackets
[fields][log_type]
not [fields] [log_type]
, this does not compile.
- You put demo1 and demo3 in without quotes. These are called "barewords" in the syntax. This does compile but hides the intention of what you are doing. You should use quotes consistently.
- You specify
[fields] [sub-application]
but later, if we squint hard at the images, we see it should be [fields][sub_application]
, with an underscore.
I'd like to give you some words of advice.
I have been through your posts from Elasticsearch through Kibana and then here. Regarding the Logstash ones, @Badger and I have helped you solve three problems. You seem quick to fire off a question using either a hypothetical scenario or a config snippet that may or may not be the actual running config without showing samples of the incoming event/doc or the desired outgoing event/doc. Be aware that some people helping on this forum are volunteers, Badger is one (and doing a great job and would be tragic if he went away), so please try to work methodically, with precision and provide actual config and redacted text based samples of the incoming event and the outgoing event in the shape you need (adjust the config to suit if redacting the sample).
That said, here are examples of a variety of solutions that work on 5.6.4, 6.6.0 and 7.0.0-SNAPSHOT in ruby execution mode and java execution mode.
input {
generator {
lines => [
'{"fields":{"env":"uat01","log_type":"apache_access_uat01","application":"lnp","sub_application":"foo"},"access_response-time":"21","access_response-code":"200","access_response-size":"34183"}',
'{"fields":{"env":"prod42","log_type":"apache_access_prod","application":"lnp","sub_application":"bar"},"access_response-time":"13","access_response-code":"200","access_response-size":"4000"}'
]
count => 1
}
}
filter {
json {
source => "[message]"
remove_field => ["[message]"]
}
if [fields][log_type] =~ /^apache_access/ and [fields][application] == "lnp" and [fields][sub_application] == "foo" and [fields][env] == "uat01" {
mutate {
add_tag => ["regex-conditional"]
}
}
if "apache_access_prod" in [fields][log_type] and [fields][application] == "lnp" and [fields][sub_application] == "bar" and [fields][env] == "prod42" {
mutate {
add_tag => ["in-conditional"]
}
}
}
output {
stdout { codec => rubydebug }
}
Gives:
{
"sequence" => 0,
"access_response-size" => "34183",
"@timestamp" => 2019-02-06T09:53:40.974Z,
"tags" => [
[0] "regex-conditional"
],
"@version" => "1",
"access_response-code" => "200",
"access_response-time" => "21",
"host" => "Elastics-MacBook-Pro.local",
"fields" => {
"application" => "lnp",
"env" => "uat01",
"log_type" => "apache_access_uat01",
"sub_application" => "foo"
}
}
{
"sequence" => 0,
"access_response-size" => "4000",
"@timestamp" => 2019-02-06T09:53:41.000Z,
"tags" => [
[0] "in-conditional"
],
"@version" => "1",
"access_response-code" => "200",
"access_response-time" => "13",
"host" => "Elastics-MacBook-Pro.local",
"fields" => {
"application" => "lnp",
"env" => "prod42",
"log_type" => "apache_access_prod",
"sub_application" => "bar"
}
}