How to add multiple conditions in single if statement if ((A==1) && (B==( 2 || 3))

I want to add tags to some known issue to make it easier to identified as known issue

what we want to do is to add tag to logs messages only if that message came from 2 or 3 different process ,
for example:

if "error opening socket: timeout" in [message] and [host] == "host111" {
      mutate { add_tag => "known-issue-Ticket:OPD-2232" }
  }

This Works fine but if I want to catch same error from another host:

  if "error opening socket: timeout" in [message] and [host] == "host111" OR "host222" {
       mutate { add_tag => "known-issue-Ticket:OPD-2232" }
  }

The bove didnt work

also tried the below

 if "error opening socket: timeout" in [message] and [host] == ["host111" OR "host222"] {

       mutate { add_tag => "known-issue-Ticket:OPD-2232" }
  }

if  "error opening socket: timeout" in [message] and [host] == ("host111" OR "host222") {
      mutate { add_tag => "known-issue-Ticket:OPD-2232" }
 }

   if "error opening socket: timeout" in [message] and [host] == ["host111" || "host222"] {
       mutate { add_tag => "known-issue-Ticket:OPD-2232" }
   }

In the documentation it gives similar example but not same

Here it is only if A==1 and B==2 then .....

if [loglevel] == "ERROR" and [deployment] == "production" {
pagerduty {
...
}
}
}

Hi

I suspect the syntax should be something like

if "error opening socket: timeout" in [message] and ([host] == "host111" or [host] == "host222") {

Hope this helps

It Workssss Thank you so much .

You can use a test for array membership, which is more compact.

[host] in [ "host111", "host222", "host3" ]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.