Conditionals with multiple strings

jcannell · March 15, 2017, 2:52pm

Hello,

I'm trying to drop an event should there be either "Device Product" or "Device Vendor" in the [message] field.

This works fine:

 if ("Device Vendor" in [message] or "Device Product" in [message]) {
        drop { }
    }

However, this does not (causes logstash to crash when launched):

 if (["Device Vendor", "Device Product"] in [message]) {
        drop { }
    }

My questions:

How can I easily support lists of strings I don't want in a field without and'ing or or'ing excessively?
How can I format my config files on this forum so they're easily readable (sorry, new here and I can't seem to figure it out)?

Thank you.

magnusbaeck · March 15, 2017, 3:03pm

How can I easily support lists of strings I don't want in a field without and'ing or or'ing excessively?

I don't believe that's possible.

How can I format my config files on this forum so they're easily readable (sorry, new here and I can't seem to figure it out)?

The toolbar contains a </> button for marking text as preformatted. Use it for configuration files and log snippets. If you're familiar with Markdown that's what's used here.

jcannell · March 15, 2017, 4:40pm

Interesting.

I saw this example on https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html

if [foo] in ["hello", "world", "foo"] {
    mutate { add_tag => "field in list" }
  }

I figured the inverse would be true (values in field instead of field in values), but I suppose it isn't.

system · April 12, 2017, 4:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.