How to add multiple conditions in single if statement if ((A==1) && (B==( 2 || 3))

Abdulrahman_Batis · December 17, 2019, 6:41am

I want to add tags to some known issue to make it easier to identified as known issue

what we want to do is to add tag to logs messages only if that message came from 2 or 3 different process ,
for example:

if "error opening socket: timeout" in [message] and [host] == "host111" {
      mutate { add_tag => "known-issue-Ticket:OPD-2232" }
  }

This Works fine but if I want to catch same error from another host:

  if "error opening socket: timeout" in [message] and [host] == "host111" OR "host222" {
       mutate { add_tag => "known-issue-Ticket:OPD-2232" }
  }

The bove didnt work

also tried the below

 if "error opening socket: timeout" in [message] and [host] == ["host111" OR "host222"] {

       mutate { add_tag => "known-issue-Ticket:OPD-2232" }
  }

if  "error opening socket: timeout" in [message] and [host] == ("host111" OR "host222") {
      mutate { add_tag => "known-issue-Ticket:OPD-2232" }
 }

   if "error opening socket: timeout" in [message] and [host] == ["host111" || "host222"] {
       mutate { add_tag => "known-issue-Ticket:OPD-2232" }
   }

In the documentation it gives similar example but not same

Here it is only if A==1 and B==2 then .....

if [loglevel] == "ERROR" and [deployment] == "production" {
pagerduty {
...
}
}
}

ITIC · December 17, 2019, 6:48am

Hi

I suspect the syntax should be something like

if "error opening socket: timeout" in [message] and ([host] == "host111" or [host] == "host222") {

Hope this helps

Abdulrahman_Batis · December 17, 2019, 7:07am

It Workssss Thank you so much .

Badger · December 17, 2019, 2:56pm

You can use a test for array membership, which is more compact.

[host] in [ "host111", "host222", "host3" ]

system · January 14, 2020, 2:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.