Correct formatting for using OR and WHEN condition in a processor

My filebeat config consists of the following relevant snippet-

Blockquote

• decode_json_fields:
  when:
  contains:
  docker.container.labels.com.docker.swarm.service.name: "name"
  fields: ["message"]
  process_array: false
  max_depth: 1
  target: ""
  overwrite_keys: false

Blockquote

I need to add two additional service names so that I am parsing the nested json only for those services.

The configuration above works correctly for a single service name, but I can't seem to figure out how to add the additional terms.

I have tried passing in an array of service names like this-

docker.container.labels.com.docker.swarm.service.name: "[service name1, service name 2, service name 3]"

but that didn't work.

I also tried adding an OR operator like this-

when:
or:
- contains:
docker.container.labels.com.docker.swarm.service.name: "<service name 1>"
- contains:
docker.container.labels.com.docker.swarm.service.name: "<service name 2>"
- contains:
docker.container.labels.com.docker.swarm.service.name: "<service name 3>"

but that didn't work either.

Can someone provide the correct syntax to accomplish this?

Thanks in advance!

OK, figured out the syntax, didn't have everything lined up properly.

- decode_json_fields:
when:
   or:
     - contains:
          docker.container.labels.com.docker.swarm.service.name: "a"
   or:
     - contains:
          docker.container.labels.com.docker.swarm.service.name: "b"
   or:
     - contains:
          docker.container.labels.com.docker.swarm.service.name: "c"

fields: ["message"]
process_array: false
max_depth: 1
target: ""
overwrite_keys: false

However, it appears that only the first condition is evaluated (service.name contains 'a') in terms of applying the decode actions.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.