Filter does not work properly

Elastic Stack Logstash
1

I have this filter:

filter {

mutate {
convert => {"ticket_fields" => "string"
"tags" => "string"}
}

mutate {

        rename => { "tags" => "category" }
      }

if "неактивность" in [category] {

if "Диалог не состоялся" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Диалог не состоялся:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA},%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Диалог не состоялся"}}
}

else if "Консультация" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Консультация:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA},%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Консультация"}}
}

else if "Проблема" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Проблема:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA},%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Проблема"}}
}

}

else {

if "Диалог не состоялся" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Диалог не состоялся:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Диалог не состоялся"}}
}

else if "Консультация" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Консультация:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Консультация"}}
}

else if "Проблема" in [category] {
grok { match => {"category" => "%{GREEDYDATA}Проблема:%{GREEDYDATA:category2}:%{GREEDYDATA:category3}\"%{GREEDYDATA}"}}
mutate { add_field => {"category1" => "Проблема"}}
}
}
}

But in Elasticsearch I do not have parsed fields category1, category2, category3

image
image1555×115 12.2 KB

and logstash logs have no errors.

2

If there is only one "name" that contains three colon separated fields I would use the more compact

if "неактивность" in [category] {
    grok { match => { "category" => '"name"=>"(?<category1>(Диалог не состоялся|Консультация|Проблема)):(?<category2>[^:]+):(?<category3>[^:]+)"' } }
}
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.