hello internet!
can someone point out why the below filter which look for an IP is not working
if [answers] =~ "127\.0\.0\.1" {
mutate {
add_tag => [ "non-routable" ]
}
}
if [answers] {
mutate {
add_tag => [ "active" ]
}
}
the field in the elasticsearch document for reference;
"answers": [
"127.0.0.1"
],
if also tried using == "127.0.0.1" which also doesnt seem to match
This would be the correct regexp match syntax:
if [answers] =~ /127\.0\.0\.1/ {
But that's a sloppy regexp that doesn't anchor the beginning and end of the string, so this is better:
if [answers] =~ /^127\.0\.0\.1$/ {
And why use a regexp match when it's a plain string match you're after?
if [answers] == "127.0.0.1" {
And finally, since it's an array you're matching against what you really want to use is this:
if "127.0.0.1" in [answers] {© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.