if 'time_duration' < '500' {
mutate { add_tag => [ "FAST" ]
}
Two problems:
- Fields are referred via the square bracket notation, i.e.
[time_duration]in this case. - You need fields to be integers (or doubles) for numerical comparisons to work. See below.
I am using haproxy config, which I don't think I need to print here. But for reference, the bytes_read and the time_duration are INT types.
No, they're strings. That's obvious from the stdout output. The fact that a grok expression uses the predefined INT pattern merely means that the input string will be matched if it's an integer. The result will still be a string unless you add :int, i.e. %{INT:time_duration:int}. If you don't want to modify the original grok patterns you can use the mutate filter's convert option to convert string fields to integer or double fields.