How to break long condition in logstash config

alicango · March 29, 2021, 9:44pm

I have a filter section that removes a field if the event matches with regex. So my if condition is very long.

if [type] == "something" {
    if [displayName] =~ /([M-m]as|MAS)[\d]*/ or [displayName] =~ /([E-e]lk|ELK)/ or [displayName] =~ /other regex/ or [displayName] =~ /other regex/ {
        mutate {
            remove_field => ["[memory]", "[@version]"]
        }
    }
}

There are numerous displayName values comes from json array. is there another way to handle them? if there is no, how can I break the long if condition line?

Many thanks.

Badger · March 29, 2021, 10:40pm

If you are always matching [displayName] then you could combine the regexps

if [displayName] =~ /(([M-m]as|MAS)[\d]*)|([E-e]lk|ELK)|.../

If you are OK with using ruby you could try something like this.

Or you could use grok

grok {
    break_on_match => false
    match => {
        "displayName" => [
            "(?<[@metadata][matched]>([M-m]as|MAS)[\d]*)",
            "(?<[@metadata][matched]>([E-e]lk|ELK)",
            ...
        ]
    }
}
if [@metadata][matched] {
    mutate {  remove_field => [ "[memory]", "[@version]" "[@metadata][matched]" ] }
}

None of which is a great improvement

alicango · March 30, 2021, 10:34pm

They are great improvements. Thank you so much.

system · April 27, 2021, 10:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.