Create arrays in Logstash

Elastic Stack Logstash
#1

Hello guys.

Dont know if it is possible, but i would like to create an array in my logstash to use in an if statement. ill give an example for you to understand me.

Giving a random "log to be processed" as example:
random.log:

Timestamp: 2021-01-26T15:01:38.724Z
user.id: paul@mail.com
user.domain: mail.com

i would like to create an array of users for which i would like to add a department to the logs.
My idea would be something like this:
logstash.conf:

    NewArrayFinance => [ {paul@mail.com},{john@mail.com},{mike@mail.com} ]

    filter {

        if [user][id] in  [NewArrayFinace] {
            mutate{
            add_field => {"Department" => "Finance"}
            }
        }
    }

Later i will also create other "else if's" for other departments. Or maybe you have a easier way to do it.
Thank you alot for your time.

#2

Is this an actual log line? Why are the strings encapsulated in curly braces if it is a list?

#3

this is actually not a log line. This is like an "example" of an array that i would like to create, with a list of "finance users". i know the brackets are wrong. And i dont even know if it is possible to create an array for me to use in the "if statement". thank you for your answer.

#4

You cannot use a variable like that, but you can do

if [user][id] in  [ "paul@mail.com", "john@mail.com", "mike@mail.com" ] {

to do an array membership test.

#5

very grateful for your answer and id does actually work, i've tried this already before. That is actually the way that i am using. But my idea was to creat something like "some arrays in the beginning of the file, and call them later". Maybe that's not possible, i dont know. Just wanted it to be like, more organized.

Thank you so much anyways :slight_smile:

#6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.