How to differentiate between field references and list memberships with "in"/"not in"?

If I have a sample event:

{ "client" => "someone" }

I'm curious as to what is going on in the following logstash configurations.

Configuration A:

if [client] not in ["someone", "foo"] {
  // do something...

Configuration B:

if [client] not in ["someone"] {
  // do something...

In A, the conditional is true, but in B it is not. The only thing I can think of is that in B it's treating "someone" as a field. Is there a way to force it to be treated as a single element list?

If you are using "not in" then I would not expect A to match :wink:

Configuration A is testing whether the value of the client field is in a set of strings. You want configuration B to test whether the value of the client field is a particular string. Why not use == ?

I want both A and B to test for membership in a list of strings, the only difference between them is the number of elements in the list. I'm generating the lists dynamically using another templating language so I could detect the single element case and have a condition for that to use "==" and if it's more than one use "in", but I'm wondering if there is a cleaner way to go about that.

I suppose another way to ask the question is can I use "in" with single element lists?

I am not an expert in how logstash parses its configuration, but I cannot find a way to get it to parse it the way you want.

Your thought process is correct, but you've probably stumbled on this
issue 1 , 2.
One solution proposed in there is to add a preset "dummy" value in the array, so it will never be a single-element one.

Otherwise, if your //Do something part is not very large, you could perform the same check using custom Ruby code.

Thank you for the replies. I'm going to go with the dummy value approach.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.