Greater than not working in logstash filter and crashing

zzurashvili · November 27, 2017, 4:23pm

I'm getting IPFIX flow data and in filter I need to add fields and tags based on source or destination port. Everything is working perfectly when I compare port using "==". if I use ">" I get:

[2017-11-27T11:18:45,502][ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>"undefined method >' for nil:NilClass", "backtrace"=>["(eval):881:ininitialize'", "org/jruby/RubyArray.java:1613:in each'", "(eval):801:ininitialize'", "org/jruby/RubyProc.java:281:in call'", "(eval):689:infilter_func'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:398:in filter_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:379:inworker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:342:in start_workers'"]} [2017-11-27T11:18:45,557][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<NoMethodError: undefined method>' for nil:NilClass>, :backtrace=>["(eval):881:in initialize'", "org/jruby/RubyArray.java:1613:ineach'", "(eval):801:in initialize'", "org/jruby/RubyProc.java:281:incall'", "(eval):689:in filter_func'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:398:infilter_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:379:in worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:342:instart_workers'"]}
""
so If I just use these
if [ipfix][destinationTransportPort] == 22 or [ipfix][sourceTransportPort] == 22 {
mutate { add_field => { "app" => "scp" } }
else if [ipfix][destinationTransportPort] == 53 or [ipfix][sourceTransportPort] == 53 {
mutate { add_field => { "app" => "dns" } }
else if [ipfix][destinationTransportPort] == 80 or [ipfix][sourceTransportPort] == 80 {
mutate { add_field => { "app" => "web" } }
it's working without any problem.

but if I use ">" instead of == then ny logstash daemon is crashing and getting Exception in pipelineworker.

snippet which is causing crash:
if [ipfix][destinationTransportPort] == 22 or [ipfix][sourceTransportPort] == 22 {
mutate { add_field => { "app" => "scp" } }
else if [ipfix][destinationTransportPort] == 53 or [ipfix][sourceTransportPort] == 53 {
mutate { add_field => { "app" => "dns" } }
else if [ipfix][destinationTransportPort] > 80 {
mutate { add_field => { "app" => "web" } }

thanks in advance for any comment/help

magnusbaeck · November 27, 2017, 9:00pm

The event doesn't have a [ipfix][destinationTransportPort] field. You can modify your conditional to

else if [ipfix][destinationTransportPort] and [ipfix][destinationTransportPort] > 80 {

to make sure you don't attempt to evaluate the > operator unless the field exists.

zzurashvili · November 27, 2017, 9:55pm

it worked!
thanks a lot!

system · December 25, 2017, 9:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.