Filter-code errors apparently cause the filter not to be applied and I get nothing in Elasticsearch


(Russell Bateman) #1

I'm trying to enhance a working filter I wrote that does the first dissect with only attempting that from now on if field source contains audit.log or using a different dissect if source contains debug.log. Then, if either succeeds, I'd like to remove the message field (that I will have parsed using dissect).

  if "audit.log" in [ source ]
  {
    dissect
    {
      mapping =>
      {
        "message" => ...
      }
    }
  }
  else if "debug.log" in [ source ]
  {
    dissect
    {
      mapping =>
      {
        "message" => ...
      }
    }
  }
  if "_dissectfailure" not in [ tags ]
  {
    remove_field => [ "message" ]
  }

(Yes, the ellipses cover real, working code.) As I say, when this code wasn't surrounded by the if then else if conditional, it worked.