Conditional statement in logstash output doesn't work

Elastic Stack Logstash
1

Hello I've made a conditional statement in the output of logstash, but the else statement doesn't work. When I send INFO logs they get into the if statement, but when I send logs different from these, they don't get into the else statement and they are not shown in tpms-system index.

Here is my output section:

output{
  stdout{
    codec => dots
  }

  if [message] =~ "\D\[INFO\s\]:.*\[ELASTICSEARCH\].*" or [message] =~ "\D\[INFO\]:.*\[ELASTICSEARCH\].*" {
   elasticsearch {
    hosts => ["https://localhost:9200"]
    user => logstash
    password => logstash
    ssl => true
    ssl_certificate_verification => false
    document_id => "%{fingerprint}"
    index => "beat-tpms"
   }
  }else{
   elasticsearch {
    hosts => ["https://localhost:9200"]
    user => logstash
    password => logstash
    ssl => true
    ssl_certificate_verification => false
    document_id => "%{fingerprint}"
    index => "tpms-system"
   }
 }
}

The regex expression is correct because I'm using the same in filebeat.yml file to recieve only these INFO logs and is working.

2

How many documents are there in the tpms-system index?

3
  1. There're no documents and I don't know why.
4

For some reason logstash doesn't send docs to tpms-system index. It turns out that it was a permission issue.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.