Hi, I currently have a filter with nine "or" statements that look for a few different strings in log messages, then applies a tag. I tried a regex similar to this, but it wasn't matching on anything: if "(foo|bar|foobar)" in [message] { mutate { add_tag => "mytag" } } The only way I could …

How do you do multiple "OR"s in a filter?

Badger November 21, 2019, 3:58pm 2

Try

if [message] =~ "(foo|bar|foobar)" {

"in" does array membership testing and substring matching. =~ does regexp matching.

How to use if condition to filter spider event gracefully in logstash

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.