If I have a sample event:
{ "client" => "someone" }
I'm curious as to what is going on in the following logstash configurations.
Configuration A:
if [client] not in ["someone", "foo"] {
// do something...
}
Configuration B:
if [client] not in ["someone"] {
// do something...
}
In A, the conditional is true, but in B it is not. The only thing I can think of is that in B it's treating "someone" as a field. Is there a way to force it to be treated as a single element list?
If you are using "not in" then I would not expect A to match 
Configuration A is testing whether the value of the client field is in a set of strings. You want configuration B to test whether the value of the client field is a particular string. Why not use == ?
I want both A and B to test for membership in a list of strings, the only difference between them is the number of elements in the list. I'm generating the lists dynamically using another templating language so I could detect the single element case and have a condition for that to use "==" and if it's more than one use "in", but I'm wondering if there is a cleaner way to go about that.
I suppose another way to ask the question is can I use "in" with single element lists?
I am not an expert in how logstash parses its configuration, but I cannot find a way to get it to parse it the way you want.
Your thought process is correct, but you've probably stumbled on this
issue 1 , 2.
One solution proposed in there is to add a preset "dummy" value in the array, so it will never be a single-element one.
Otherwise, if your //Do something part is not very large, you could perform the same check using custom Ruby code.
Thank you for the replies. I'm going to go with the dummy value approach.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.