I have an IF statement like below:
if "tobem" in [user][url] or "foocrypt" in [user][url] or "theautomatski" in [user][url]
I also imagine that this is going to get a bit larger as time goes on and I identify more users I want to exclude. Is it possible to shorten it down at all, something like below?
if ("value1"|"value2"|"value3") in [field]
Yes.
if [user][url] in [ "tobem" , "foocrypt", "theautomatski" ] ...
Alternatively
if [user][url] =~ "^(tobem|foocrypt|theautomatski)$" ...
The field name is [user][url] and the values are tobem, foocrypt, and theautomatski, which makes it seem like your first suggestion wouldn't work. The second one does not work. I also tried if [ "tobem", "foocrypt", "theautomatski" ] in [user][url] and got an error, No implicit conversion of array into string.
The first one tests whether the value of field called [user][url] is a member of the array. I though that was what you wanted.
The second probably needs the anchors removed, or / characters added.
Looks like the first one is what I wanted, it just reads weird to the novice (aka, me). Seems like it's saying if value user.url is in field tobem, foocrypt, or theautomatski but it appears I am wrong. Thanks for the help Badger.
EDIT: Nope, that doesn't work. Doesn't throw any errors but it also doesn't drop the events.
Can you show us an event? Either 'output { stdout { codec => rubydebug } }' or from the JSON tab in Kibana?
Line 15 into 16 is the user.url field containing tobem
{
"_index": "inteltwit-2018.04.01",
"_type": "doc",
"_id": "OwSJg2IBPqHGZa-TOcIb",
"_version": 1,
"_score": null,
"_source": {
"timestamp_ms": "1522625270961",
"links": [
"https://t.co/0qKvlh5S2U",
"https://t.co/Ov0ROPGcBk"
],
"text_original": "This book is about a cyberwar with China. This new type of war, sa https://t.co/0qKvlh5S2U #Cybersecurity #Bitcoin https://t.co/Ov0ROPGcBk",
"@timestamp": "2018-04-01T23:27:50.000Z",
"user": {
"url": "http://tobem.com/cyberwar",
"id_str": "3875339716",
"description": null,
"screen_name": "CyberToolsBooks",
"time_zone": null,
"name": "CyberWar Books"
},
"hashtags": [
"#cybersecurity",
"#bitcoin"
],
"mentioned": [],
"extended_entities": {},
"source": "<a href=\"http://www.ajaymatharu.com/\" rel=\"nofollow\">Tweet Old Post</a>",
"text": "This book is about a cyberwar with China. This new type of war, sa "
},
"fields": {
"timestamp_ms": [
"2018-04-01T23:27:50.961Z"
],
"@timestamp": [
"2018-04-01T23:27:50.000Z"
]
},
"highlight": {
"text_original": [
"This @kibana-highlighted-field@book@/kibana-highlighted-field@ is about a cyberwar with China. This new type of war, sa https://t.co/0qKvlh5S2U #Cybersecurity #Bitcoin https://t.co/Ov0ROPGcBk"
],
"text.stop_analyzed": [
"This @kibana-highlighted-field@book@/kibana-highlighted-field@ is about a cyberwar with China. This new type of war, sa"
],
"text": [
"This @kibana-highlighted-field@book@/kibana-highlighted-field@ is about a cyberwar with China. This new type of war, sa"
]
},
"sort": [
1522625270000
]
}Testing if [field] in array is testing for string equality between the field and each of the members of the array. Thus "foo" in ["foo", "bar"] is true. However "foo" in ["foot", "hand"] is false.
If you want to drop events from a set of domains (and BTW, it would be helpful in general to provide a description of the problem you are trying to solve when you ask us to help with the solution 
) then something like like my second suggestion is more appropriate.
if [user][url] =~ "(tobem|foocrypt|theautomatski)"
might do it. Or perhaps
if [user][url] =~ "\b(tobem|foocrypt|theautomatski)\b"
to avoid matching notfoocrypt.com. Personally I would parse the domain name out of the URL and then match against that to avoid possibly matching those strings against the URI.
First one appears to work.
if [user][url] =~ "(tobem|foocrypt|theautomatski)"
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.