Thnx for the replies.
What I am trying to do is simply match the value of a field. I have a field 'event-type'. This field can contain the string 'API_CALL' . I want the dissect from my OP to only be tried when event-type == 'API_CALL'
The funny thing is, I have a few processors in the pipeline already. When I save, it's OK and it processes the document I feed it. When I go to devtools en do GET _ingest/pipeline/pipelinename I get the pipeline in return. But when I then do PUT _ingest/pipeline/my-pipeline with te exact json I just got returned, I get a parse exception. Funny.
I already found out I somehow seem to need to use that (horrible) painless stuff. Appearantly I need to use ctx as source and then elaborate on that. However just: ctx.event-type == API_CALL still gives a compile error.
I tried aaron_nimocks suggestion:
POST _ingest/pipeline/AAB_AGL/_simulate
{
"AAB_AGL" : {
"processors" : [
{
"dissect" : {
"field" : "message",
"pattern" : "ts: %{ts} | logLevel: %{log-level} | appId: %{app-id} | thread: %{thread-id} | SID: %{session-id} | TN: %{transaction-id} | clientIp: %{client-ip} | userId: %{user-id} | apiType: %{api-type} | api: %{api-url} | platform: %{platform} | eventType: %{event-type} | %{additional-data}"
}
},
{
"trim" : {
"field" : "app-id",
"ignore_failure" : true
}
},
{
"trim" : {
"field" : "client-ip",
"ignore_failure" : true
}
},
{
"trim" : {
"field" : "api-type",
"ignore_failure" : true
}
},
{
"trim" : {
"field" : "api-url",
"ignore_failure" : true
}
},
{
"dissect" : {
"field" : "additional-data",
"pattern" : "message: %{ms-url}|%{ms-result-code}|%{ms-result}|%{execution-time}",
"if": "ctx.event-type == API_CALL",
"value": true
}
}
]
}
}
But this results in:
{
"error" : {
"root_cause" : [
{
"type" : "parse_exception",
"reason" : "[docs] required property is missing",
"property_name" : "docs"
}
],
"type" : "parse_exception",
"reason" : "[docs] required property is missing",
"property_name" : "docs"
},
"status" : 400
}
Feel free to try.
This is an anonimised document I test with.
{
"_source": {
"@timestamp": "2022-01-20T12:56:45.262Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.16.2"
},
"fields": {
"environment": "production"
},
"agent": {
"hostname": "server1.prdl.itv.local",
"ephemeral_id": "866496c4-e379-421e-930c-1ade47f5105c",
"id": "a86414cc-90f1-4b71-9723-d115033864d7",
"name": "server1.prdl.itv.local",
"type": "filebeat",
"version": "7.16.2"
},
"ecs": {
"version": "1.12.0"
},
"message": "ts: 2022-01-20 13:56:44.299 | logLevel: INFO | appId: AGL | thread: 111309 | SID: 1e7ad1c0-e99a-7af6-edd4-a3384bd19247 | TN: a39ffed3-7120-6313-ab67-045ee0ef6f20 | clientIp: 127.0.0.1 | userId: 0000000 | apiType: NANO | api: POST /100/1.2.0/A/nld/stb/kpn/API-1/MS-1 | platform: stb | eventType: API_CALL | message: http://newservername:8080/new-api-name/b2b/tokens?channel=stb&lang=nld|20X|ACN_200|5",
"log": {
"file": {
"path": "/product/AGL/agl-core/logs/agl.log"
},
"offset": 2884772107
},
"tags": [
"avs6",
"api-log",
"apigateway",
"asd"
],
"input": {
"type": "log"
}
}
}