Filter-code errors apparently cause the filter not to be applied and I get nothing in Elasticsearch

RussellBateman · December 4, 2018, 12:50am

I'm trying to enhance a working filter I wrote that does the first dissect with only attempting that from now on if field source contains audit.log or using a different dissect if source contains debug.log. Then, if either succeeds, I'd like to remove the message field (that I will have parsed using dissect).

  if "audit.log" in [ source ]
  {
    dissect
    {
      mapping =>
      {
        "message" => ...
      }
    }
  }
  else if "debug.log" in [ source ]
  {
    dissect
    {
      mapping =>
      {
        "message" => ...
      }
    }
  }
  if "_dissectfailure" not in [ tags ]
  {
    remove_field => [ "message" ]
  }

(Yes, the ellipses cover real, working code.) As I say, when this code wasn't surrounded by the if then else if conditional, it worked.

system · January 1, 2019, 12:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Use of keyword 'else' causes error "Couldn't find any filter plugin named 'else'." Logstash	4	1711	January 11, 2019
How to debug Logstash filter with dissect? Logstash	7	4299	December 19, 2018
How to tell what fields can be examined/coded to in a Logstash filter? Logstash	2	307	January 3, 2019
Dissect filter plugin to map nested fields Logstash	3	1197	November 4, 2020
Unable to dissect logs based on a string pattern Logstash	1	569	September 4, 2017

Filter-code errors apparently cause the filter not to be applied and I get nothing in Elasticsearch

Related topics