Conditional Input based on Regex

Elastic Stack Logstash
1

Hi, can we do conditional input to a "field" based on regex. I am able to achieve same in painless scripting but want to achieve it in Logstash.

below is example from painless.

if (doc['Mach.keyword'].value =~ /^T\d{4}WKS([0-9]+)$/) {
return "NZ";
} else if (doc['Mach.keyword'].value =~ /^\w{7}+$/) {
return "AUS";
} else if (doc['Mach.keyword'].value =~ /^\w{12}+$/) {
return "JAP";
}
return "CH";

tried through grok filter but unable to figure out syntax in documentation. Any advice or help.

Thanks You...

2

Translation should be pretty straightforward, conditionals allow for regex matching. Like so:

if [Mach] =~ /^T\d{4}WKS([0-9]+)$/ {
  # do stuff
} 
else if [Mach] =~ /^\w{7}+$/ {
  # do stuff
} 
else if [Mach] =~ /^\w{12}+$/ {
  # do stuff
}
else {
  # do stuff
}
3

thanks for responding, no luck with below statements. :frowning:

grok{
if [Mach] =~ /^T\d{4}WKS([0-9]+)$/ {
mutate {
add_field => {"ctry" => "NZ"}
}
}
else {
mutate {
add_field => {"ctry" => "AUS" }
}
}

}

and even tried below

grok{
if "/^T\d{4}WKS([0-9]+)$/" in [MACH] {
mutate {
add_field => {"ctry" => "NZ" }
}
else {
mutate {
add_field => {"ctry" => "AUS" }
}

}

}

4

What does an example event produced by Logstash look like? Use a stdout { codec => rubydebug } output.

5

Hey thanks guys...below code worked :grinning:

seems no need to mention Grok again; correct only one time is enough ?...i think that was the mistake i made...

if [Mach] =~ /^T\d{4}WKS([0-9]+)$/ {
mutate {
add_field => {"ctry" => "NZ"}
}
}
else {
mutate {
add_field => {"ctry" => "AUS" }
}