Error in Logstash conditional expression

Elastic Stack Logstash
1

I am using Logstash 5.5.0. I have the following configuration:

input { stdin { } }

filter {
  grok {
    match => { "message" => "^(%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:LogLevel}%{SPACE}(?:\[)%{NOTSPACE:ThreadName}(?:\]))?%{SPACE}%{GREEDYDATA:msg}%{SPACE}" }
    if [message] =~ "Exception" or [message] =~ "exception" {
    add_field => { "logtype" => "Exception" }
    }
    else if [message] =~ "ERROR" or [message] =~ "error" {
    add_field => { "logtype" => "Error" }
    }     
    else {
    add_field => { "logtype" => "General" }
    }
  }
}

output {
  stdout { codec => rubydebug }
}

This configuration is giving me the following error on invoking logstash with config.test_and_exit option:

[LogStash::Runner] FATAL logstash.runner - The given configuration is invalid. Reason: Expected one of #, => at line 6, column 8 (byte 217) after filter {
  grok {
    match => { "message" => "^(%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:LogLevel}%{SPACE}(?:\[)%{NOTSPACE:ThreadName}(?:\]))?%{SPACE}%{GREEDYDATA:msg}%{SPACE}" }
    if

What is it that I am doing wrong?

2

You can not have conditional statements within a filter.

3

Can you please suggest a configuration that I can use to achieve what I am trying to do?

4

Something like this should do it:

filter {
  grok {
    match => { "message" => "^(%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:LogLevel}%{SPACE}(?:\[)%{NOTSPACE:ThreadName}(?:\]))?%{SPACE}%{GREEDYDATA:msg}%{SPACE}" }
  }

  if [message] =~ "Exception" or [message] =~ "exception" {
    mutate {  
      add_field => { "logtype" => "Exception" }
    }
  } else if [message] =~ "ERROR" or [message] =~ "error" {
    mutate {    
      add_field => { "logtype" => "Error" }
    }
  } else {
    mutate {
      add_field => { "logtype" => "General" }
    }
  }
}
5

Works perfectly! Thanks!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.