Filter-code errors apparently cause the filter not to be applied and I get nothing in Elasticsearch

I'm trying to enhance a working filter I wrote that does the first dissect with only attempting that from now on if field source contains audit.log or using a different dissect if source contains debug.log. Then, if either succeeds, I'd like to remove the message field (that I will have parsed using dissect).

  if "audit.log" in [ source ]
  {
    dissect
    {
      mapping =>
      {
        "message" => ...
      }
    }
  }
  else if "debug.log" in [ source ]
  {
    dissect
    {
      mapping =>
      {
        "message" => ...
      }
    }
  }
  if "_dissectfailure" not in [ tags ]
  {
    remove_field => [ "message" ]
  }

(Yes, the ellipses cover real, working code.) As I say, when this code wasn't surrounded by the if then else if conditional, it worked.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.