Filter not working

brain · April 9, 2016, 12:11am

hello internet!

can someone point out why the below filter which look for an IP is not working

  if [answers] =~ "127\.0\.0\.1" {
    mutate {
      add_tag => [ "non-routable" ]
    }
  }
  if [answers] {
    mutate {
      add_tag => [ "active" ]
    }
  }

the field in the elasticsearch document for reference;

  "answers": [
     "127.0.0.1"
  ],

if also tried using == "127.0.0.1" which also doesnt seem to match

magnusbaeck · April 12, 2016, 6:20pm

This would be the correct regexp match syntax:

if [answers] =~ /127\.0\.0\.1/ {

But that's a sloppy regexp that doesn't anchor the beginning and end of the string, so this is better:

if [answers] =~ /^127\.0\.0\.1$/ {

And why use a regexp match when it's a plain string match you're after?

if [answers] == "127.0.0.1" {

And finally, since it's an array you're matching against what you really want to use is this:

if "127.0.0.1" in [answers] {

Topic		Replies	Views
Error when using elasticsearch logstash filter Logstash	2	348	May 6, 2022
Xml filter does not work Logstash	13	626	February 28, 2019
Filter elasticsearch data with logstash Logstash	3	239	September 15, 2023
Conditional filtering by source with IP addresses Logstash	7	6973	April 11, 2017
Logstash if condition regex not working Logstash	11	1136	August 29, 2022

Filter not working

Related Topics