Defining "if - elseif - else" when setting up processors?


Some context:
Log Group: MyLogGroupForEC2s
Log Streams:
myhost1-System #EventViewer
myhost1-Application #EventViewer
myhost1-CloudWatchAgent #CustomLogTxt
and many more for the fictious "myhost1" and A LOT of different hosts.

CloudWatchAgent sends the entire raw EventViewer-event as XML into the "message"-field, OK so lets try and define a "processor" to dissect the message field but here is also my problem;

The EventViewer Application-log has the following field for EventID;
<EventID Qualifiers='.'>(.*?)<\/EventID>
While all other EventViewer-logs have the following field for EventID;
and as stated somewhere in the documentation regarding this, if a field is not found then no processing will occur so we need to differentiate between;
The EventViewer Application-log (w. "Qualifiers")
All other EventViewer-logs (w.o "Qualifiers")
and the custom txt-logs.

I seem to be missing a third option (i.e. "if-else") to do this if I am grasping this correctly;

- if:
        - regexp:
            log_stream: "*-Application"
    - dissect:
        tokenizer: "<Computer>(.*?)<\/Computer>"
        field: "message"
        target_prefix: "Computer"
    - dissect:
        tokenizer: "<Message>(.*?)<\/Message>"
        field: "message"
        target_prefix: "EventID Message"
    - dissect:
        tokenizer: "<Channel>(.+?)<\/Channel>"
        field: "message"
        target_prefix: "Channel"
     - dissect:
        tokenizer: "<Level>(.+?)<\/Level>"
        field: "message"
        target_prefix: "Level"
     - dissect:
        tokenizer: "<EventID Qualifiers='.'>(.*?)<\/EventID>"
        field: "message"
        target_prefix: "EventID"

The above section would catch all log-streams that end with "-Application" but then I need to take into account all other EventViewer-logs (that are without "Qualifiers") and another section to parse / dissect the custom .txt-logs such as the CloudWatchAgent-logs.

It's easier for me to handle the exceptions from the "norm" of "EventID" rather then specify all the logs that should be parsed confirming to "EventID".

Might I be better off using Logstash instead of trying to define this process in Functionbeat?

Thank you in advance for any suggestions / help - TheSwede86

Update: Oh and I know the regex I wrote don't work since it uses reserved characters, need to figure that out but thats another issue.

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.