Conditionals not working on numeric fields

Sjaak01 · January 22, 2018, 4:42am

Hi,

I'm having an issue with conditionals and numeric fields. The config below only works if I first convert my fields to a string.

I found a blog that mentions if ([foo]) { ... } should work for numeric fields but

  if ([netflow][l4_src_port]) == "8888" {
     drop { }
  }

does not (logstash trows an error). I couldn't find anything in the Docs either.

What is the correct way to handle numeric fields and conditionals?

filter {
  if [type] == "netflow" {

   if ![netflow][ipv4_src_addr] {
     drop { }
  }

  mutate {
     convert => { "[netflow][l4_src_port]" => "string" }
     convert => { "[netflow][l4_dst_port]" => "string" }
  }

  if [netflow][l4_src_port] == "8888" {
     drop { }
  }

  if [netflow][l4_dst_port] == "8888" {
     drop { }
  }

  if [netflow][l4_src_port] == "9993" {
     drop { }
  }


  if [netflow][l4_dst_port] == "9993" {
     drop { }
  }

magnusbaeck · January 22, 2018, 9:20pm

For numerical comparisons don't double-quote the operand, i.e. say 8888 instead of "8888".

Sjaak01 · January 24, 2018, 9:04am

Thanks as always. I will try that.

system · February 21, 2018, 9:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.