How to use 'AND' in Logstash?

Hi,

Can someone please say if it's correct to use the following,

if [message] =~ /department=technology&space=dev/{ ... }

Basically I am looking in [message] for the fields department and space. I am using operator &, please let me know if it's correct to use '&' as AND.

Thanks

& has no special meaning in regular expressions. If you give an example of the kind of string you want to match we'll be in a better position to help.

Hi Magnus,

Basically I am looking for two strings,

1)department=technology
2)space=dev

If [message] contains above two strings then do something.

This is what I am searching for. Can you please help me with it?

If you don't care about the ordering of them you can do

if "department=technology" in [message] and "space=dev" in [message] { ... }

but that won't distinguish between "space=dev" and "nospace=development" which might not be good enough for your needs.

Can I use something like,

if [message] =~ /department=technology/ and [message] =~ /space=dev/{ ... }

Would this work as expected?

Yes, it's equivalent to my proposal.

Okay, but how exactly we can deal with this? Isn't there any way where we can strictly define our need?

As I said, if you give an example of the kind of string you want to match we'll be in a better position to help.

Didn't clearly understand it. Are you asking for the strings, if so these are the two strings I am looking for in an event,

department=technology 
space=dev

If you are asking about how an event looks like,

level=info app_id=467-mng-5478 department=technology app_name=test-qa org_id=65hjc-9hd-4dg0-bsgc-12yjk4r13 space=dev org_name=QA origin=server

There, finally. Use a kv filter to parse the string into fields, then use a conditional like this:

if [department] == "technology" and [space] == "dev" { ... }

what if I am not including those keys from kv?

Rename the fields after the filter

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.