Filtering in LogStash using the if..in syntax

RunningSmurf · December 26, 2019, 3:17pm

Hello,

I want to update the "tags" filed to a certain value when my "message" contains the string "Error: 18456" in it.

This is the [message] value that ends up in Kibana:
message 2019-12-26 15:07:09.53 Logon Error: 18456, Severity: 14, State: 8.

This is my filter in Logstash:
filter {
if "Error: 18456" in [message] {
mutate {
update => { "tags" => "Error - Login failed"}
}
}
}

I do not get any error when running this configuration, but the "tags" field does not get updated. Do you see a syntax or logic error in my code? Thank you!

Sincerely,

RS

Badger · December 26, 2019, 4:40pm

If the tags field does not exist then update will not create it.

RunningSmurf · December 26, 2019, 7:42pm

Hello Badger,

Thank you for your reply. The "tags" field indeed exists. In other filters, I am able to update "tags" on a "if in " statement. The only difference is that the other filters go against fields other than [message]. I am wondering if there is something special about the fact that I am going against the [message] field, which is incidentally of type _doc.

Sincerely,

RS

Topic		Replies	Views
Filter on tag value in filter Logstash	2	1028	June 3, 2019
Filter if condition in Logstash Logstash	8	19690	July 24, 2019
Logstash does not parse if 'if' condition change Logstash	6	295	September 21, 2022
Conditional if not working as expected Logstash	1	46	June 8, 2025
If/CSV Filter not working Logstash	2	391	October 15, 2018

Filtering in LogStash using the if..in syntax

Related topics