Conditional IF in logstash's filter

Beuhlet_Reseau · May 15, 2017, 2:15pm

Hello, i work on conditional filter in logstash.

Currently it's not working

Here a few example of line in my file :

20170415020000;Nb_RQ_live-C-FWK-WRK-DM-2;server5;2
20170415020000;Nb_RQ_live-C-FWK-WRK-DM-2;server2;5
20170415020000;Nb_RQ_live-C-FWK-WRK-DM-1;7

20170415021000;RAM_process-C-FWK-RQ-3;server5;POV;901.906
20170415021000;RAM_process-C-FWK-RQ-3;server2;POV;846.59
20170415021000;RAM_process-C-FWK-RQ-3;server5;CORB;3246.39
20170415021000;RAM_process-C-FWK-RQ-3;server2;CORB;2996.37

20170415021000;LU_Total_Refresh-C-FWK_STP-3;server5;POV;8
20170415021000;LU_Total_Terminate-C-FWK_STP-3;server5;POV;0
20170415021000;LU_Number_Delete-C-FWK_STP-3;server5;POV;0

So, i use this to parse my file (not complet) :

filter {
if [type] == "q_compteur" {
 if [message] =~ /^"Nb_RQ_live-C-FWK-WRK-DM-2"/ {
    csv {
      columns => [ "RQ_live_date", "Name_RQ_live", "server", "Nb_RQ_live" ]
        separator => ";"
        }

    mutate {
        remove_field => [ "message", "tags", "host", "path" ]
        convert => {
                   "Nb_RQ_live" => "integer"
                   }
           }

    date {
      match => [ "RQ_live_date" , "YYYYMMddHHmmss" ]
      remove_field => ["RQ_live_date"]
         }
                                                                                  }
                                                                                  
    else if [message] =~ /^"Nb_RQ_live-C-FWK-WRK-DM-1"/ {
    csv {
      columns => [ "RQ_live_date", "Name_RQ_live_total", "Nb_RQ_live_total" ]
        separator => ";"
        }

    mutate {
        remove_field => [ "message", "tags", "host", "path" ]
        convert => {
                   "Nb_RQ_live_total" => "integer"
                   }
           }

    date {
      match => [ "RQ_live_date" , "YYYYMMddHHmmss" ]
      remove_field => ["RQ_live_date"]
         }
                                                                                  }                                                                              
                                                                                  
    else if [message] =~ /^"LU_Total_Refresh-C-FWK_STP-3"/ {
    csv {
      columns => [ "LU_refresh_date", "Name_LU_refresh", "server", "Type_refresh", "Nb_refresh" ]
        separator => ";"
        }

    mutate {
        remove_field => [ "message", "tags", "host", "path" ]
        convert => {
                   "Nb_refresh" => "integer"
                   }
           }

    date {
      match => [ "LU_refresh_date" , "YYYYMMddHHmmss" ]
      remove_field => ["LU_refresh_date"]
         }
                                                                                  }
    else if [message] =~ /^"LU_Number_Delete-C-FWK_STP-3"/ {[..........]

Is the good method ? I have other lines in file but i don't need.

magnusbaeck · May 15, 2017, 2:51pm

if [message] =~ /^"Nb_RQ_live-C-FWK-WRK-DM-2"/ {

This condition will never be true because none of your log lines begin with "Nb_RQ_live-C-FWK-WRK-DM-2". Perhaps you should say

if [message] =~ /;Nb_RQ_live-C-FWK-WRK-DM-2;/ {

instead.

Beuhlet_Reseau · May 17, 2017, 12:07pm

It's very bizare , because it's seems to perform with this syntax !

I will change for your syntaxe but currently it's good.

You find good my method ?

=> Match line with IF
=> ELSE IF for other matching
=> Others lines are drop (at the end else {{drop}})

EDIT : NOO, i use it for match line excuse me :

if [message] =~ "\bSession_PolicyManager_G5R2-C-PM-GX-REQ-3-Schema-Type-NbSession\b" {

I believe it said all line with this characters are matched

system · June 14, 2017, 12:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.