Filters not working after split

Geezer · July 11, 2016, 10:30pm

I have F5 appliances sending multiple events, so use a split filter to separate these before parsing them.

The first grok filter I apply works, but any subsequent filters fail.

This is the working filter, with the match statement abbreviated:

filter {

F5 High Speed Logging

    if [type] == "hsl_f5" {
	split {
	}
	grok {
		patterns_dir => "/opt/logstash/patterns"
		match => [ "message", "....." ]
		add_tag => "grokked_hsl_f5"
	}
}

}

If I add a statement within the grok {} section, to add a second tag for example , it works. e.g.

	grok {
		patterns_dir => "/opt/logstash/patterns"
		match => [ "message", "....." ]
		add_tag => "grokked_hsl_f5"
                   add_tag => "test_tag"
	}

If I try to anything to the filter outside that grok {} section it is either ignored or logstash stops processing the events at all. e.g.

F5 High Speed Logging

    if [type] == "hsl_f5" {
	split {
	}
	grok {
		patterns_dir => "/opt/logstash/patterns"
		match => [ "message", "....." ]
		add_tag => "grokked_hsl_f5"
	}
	geoip {
		source => "client_ip"
		target => "geoip"
		database => "/etc/logstash/GeoLiteCity.dat"
		add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
		add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
	}
	mutate {
		convert => [ "[geoip][coordinates]", "float"]
	}
}

}

Is this a consequence of the split {} operator? Am I missing something?

Thanks

Topic		Replies	Views
Filter problems Logstash	8	652	July 6, 2017
Nothing in filter block is being parsed. Why is only the filter not working in logstash? Logstash	6	326	March 31, 2020
Logstash if statement not working probably Logstash	2	2334	December 25, 2015
Grok filter not working after add tags Logstash	3	872	September 20, 2017
Why is this logstah filter not working as intended? Logstash	2	290	September 13, 2020

Filters not working after split

F5 High Speed Logging

F5 High Speed Logging

Related Topics