Config Map condition based on the log event on child element

rravitech · February 22, 2023, 7:04pm

Here is what i am trying to achieve.

Below is my log event

 {
		  "version" : "1.0.0",
          "message" : "noisemaker draftsmanship's soundproofing grads werewolf's",
          "@version" : "1",
          "logplane" : "logs-lj",
          "pipeline_data" : [
            {
              "lumberjack_ext_lj_1" : 6
            },
            {
              "lumberjack_ext_lj_2" : 6
            }
          ],
          "@timestamp" : "2023-02-22T18:54:36.515Z"
        }

And here is my config map. i know that the pipeline_data is an array, but how can I add a condition out of the child elements in that.


 if [pipeline_data][lumberjack_ext_lj_1] {
       if [pipeline_data][lumberjack_ext_lj_1] > 120 {
          exec {
            command => ""
          }
          pipeline { send_to => "droppipeline" }
        }
  {{- end }}

leandrojmp · February 22, 2023, 7:14pm

You need to access it using the index on the array, like [pipeline_data][0][lumberjack_ext_lj_1].

But if the index in the array can change you may need to transform your data like using a split filter to create a new document for each item in the array, or writing a ruby script to create a new dynamic field for each item in the array.

Badger · February 22, 2023, 8:28pm

There is no exec filter, you will have to do that in ruby.

leandrojmp · February 22, 2023, 8:34pm

If I'm not wrong this is in the output block, since there is a pipeline output after the exec, which is a output plugin.

Badger · February 22, 2023, 10:09pm

I think you are right. My mistake!

I did not know there was an exec output. I cannot imagine wanting to fork the JVM and exec another command for each event. It's going to be really expensive.

system · March 22, 2023, 10:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.