How do you do multiple "OR"s in a filter?

meatwad · November 21, 2019, 3:55pm

Hi,

I currently have a filter with nine "or" statements that look for a few different strings in log messages, then applies a tag. I tried a regex similar to this, but it wasn't matching on anything:

if "(foo|bar|foobar)" in [message] {
  mutate {
    add_tag => "mytag" }
}

The only way I could get it to work is breaking them into multiple "or"s but I'm sure it's just me being an idiot and not doing something right. Any help would be GREATLY appreciated!

Thanks!

Badger · November 21, 2019, 3:58pm

Try

if [message] =~ "(foo|bar|foobar)" {

"in" does array membership testing and substring matching. =~ does regexp matching.

meatwad · November 21, 2019, 4:13pm

That did the trick -- thank you very much!

system · December 19, 2019, 4:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter with more than one possible match? Logstash	3	393	April 19, 2022
Logstash or condition in if statement Logstash	3	62558	January 31, 2017
Avoiding multiple OR conditions in if statements logstash Logstash	3	1014	May 14, 2018
Conditional, check multiple values for a field Logstash	4	15458	December 15, 2017
Logstash pipeline multiple if statements Logstash	2	323	November 12, 2021

How do you do multiple "OR"s in a filter?

Related topics