Config Map condition based on the log event on child element

Elastic Stack Logstash
1

Here is what i am trying to achieve.

Below is my log event

 {
		  "version" : "1.0.0",
          "message" : "noisemaker draftsmanship's soundproofing grads werewolf's",
          "@version" : "1",
          "logplane" : "logs-lj",
          "pipeline_data" : [
            {
              "lumberjack_ext_lj_1" : 6
            },
            {
              "lumberjack_ext_lj_2" : 6
            }
          ],
          "@timestamp" : "2023-02-22T18:54:36.515Z"
        }

And here is my config map. i know that the pipeline_data is an array, but how can I add a condition out of the child elements in that.


 if [pipeline_data][lumberjack_ext_lj_1] {
       if [pipeline_data][lumberjack_ext_lj_1] > 120 {
          exec {
            command => ""
          }
          pipeline { send_to => "droppipeline" }
        }
  {{- end }}
2

You need to access it using the index on the array, like [pipeline_data][0][lumberjack_ext_lj_1].

But if the index in the array can change you may need to transform your data like using a split filter to create a new document for each item in the array, or writing a ruby script to create a new dynamic field for each item in the array.

3

There is no exec filter, you will have to do that in ruby.

4

If I'm not wrong this is in the output block, since there is a pipeline output after the exec, which is a output plugin.

5

I think you are right. My mistake!

I did not know there was an exec output. I cannot imagine wanting to fork the JVM and exec another command for each event. It's going to be really expensive.