Filter does not work properly

111435 · November 12, 2021, 5:06am

I have this filter:

filter {

mutate {
convert => {"ticket_fields" => "string"
"tags" => "string"}
}

mutate {

        rename => { "tags" => "category" }
      }

if "неактивность" in [category] {

if "Диалог не состоялся" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Диалог не состоялся:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA},%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Диалог не состоялся"}}
}

else if "Консультация" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Консультация:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA},%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Консультация"}}
}

else if "Проблема" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Проблема:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA},%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Проблема"}}
}

}

else {

if "Диалог не состоялся" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Диалог не состоялся:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Диалог не состоялся"}}
}

else if "Консультация" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Консультация:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Консультация"}}
}

else if "Проблема" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Проблема:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Проблема"}}
}
}
}

But in Elasticsearch I do not have parsed fields category1, category2, category3

and logstash logs have no errors.

Badger · November 12, 2021, 5:47pm

If there is only one "name" that contains three colon separated fields I would use the more compact

if "неактивность" in [category] {
    grok { match => { "category" => '"name"=>"(?<category1>(Диалог не состоялся|Консультация|Проблема)):(?<category2>[^:]+):(?<category3>[^:]+)"' } }
}

system · December 10, 2021, 5:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash filter seems not working Logstash	2	335	January 12, 2020
Nothing in filter block is being parsed. Why is only the filter not working in logstash? Logstash	6	326	March 31, 2020
Xml filter does not work Logstash	13	628	February 28, 2019
How to make it work?! Logstash	3	241	May 17, 2021
Pattern: grok/mutate dont work? Logstash	10	519	November 20, 2022

Filter does not work properly

Related topics