How to use if else in logstash output

lokeshbabloo · November 26, 2020, 4:00pm

Hi

i need a help in constructing the logstash output

i am having two log files like this, one is

<#> 20200806 17:04:23.261 280018000 EV.INF [ MVINB-LSL2.T1G1_WEBSVR1 main.main TSP1.T1G1_WEBSVR1 ] Process T1G1_WEBSVR1 starting in progress...

other one is

<#> 20200806 17:04:23.261 280018000 EV.INF [ MVINB-LSL2.T1G1_WEBSVR1 main.main TSP1.T1G1_WEBSVR1 ] Process T1G1_WEBSVR1 starting in progress...

and here is my logstash conf

input{

stdin {

 }

}

filter {

grok{

match => {

"message"=> "<#>\s*(?<@log_date>%{YEAR}%{MONTHNUM}%{MONTHDAY}\s*%{TIME})\s*\s*%{INT:event_id}\s*\s*%{GREEDYDATA:event_type}\s*\s*[\s*\s*%{HOSTNAME:host_name}.%{USERNAME:Process_name}\s%{HOSTNAME:thread}\s*\s*\s*\s*\s*\s*%{USERNAME:logger_name}\s*\s*\s*\s*\s*]\s*\s*%{GREEDYDATA:log_message}"

}

date

{

match => ["@log_date", "YYYYMMDD HH:mm:ss.SSS"]

target => "@log_date"

}

mutate {

 gsub => [ "event_type" , "FD.INF" , "Info"]

 gsub => [ "event_type" , "FD.FNE" , "Fine"]

 gsub => [ "event_type" , "TR.FNE" , "Fine"]

  gsub => [ "event_type" , "DE.INF" , "Info"]

  gsub => [ "event_type" , "FD.WRN" , "Warning"]

   gsub => [ "event_type" , "EV.WRN" , "Warning"]

  gsub => [ "event_type" , "DE.WRN" , "Warning"]

  gsub => [ "event_type" , "TR.FNS" , "Finest"]

gsub => [ "event_type" , "FT.FNR" , "Finer"]

gsub => [ "event_type" , "EV.INF" , "Info"]

gsub => [ "event_type" , "FT.FNS" , "Finest"]

gsub => [ "event_type" , "FT.FNE" , "Finest"]

gsub => [ "event_type" , "EV.ERR" , "Error"]

gsub => [ "event_type" , "ST.ERR" , "Error"]

gsub => [ "event_type" , "DE.ALL" , "Error"]



}

}

output {

elasticsearch {

 hosts => ["127.0.0.1:9200"]

      

 index => "mdynamic logs"

}

Now here i want to create index different index based on Process name. Can i know how to use if else in the logstash output to elastics search and create index based on process name

Thanks and regards
Lokesh babloo

Badger · November 26, 2020, 4:05pm

If you just want to use the Process_name field as the index name then

 index => "%{Process_name}"

lokeshbabloo · November 26, 2020, 4:24pm

Hi @Badger ,

Thank you for your reply

but here i will be getting different process_name like "ATMTH1" as one of the process name and "WEBSVR1" as other process name. if my log contains the Process_name as "ATMTH1" , i want to create an index named as "ATMTH1" in the elastics search. and if my process_name contains the process name as "WEBSVR1" , i want to create another index named as "WEBSVR1" as another index. so like if else condition in logstash output towards elasticsearch , any idea Badger?

Badger · November 26, 2020, 5:05pm

That is exactly what the sprintf field reference I suggested will do.

lokeshbabloo · November 26, 2020, 5:28pm

Hi @Badger I tried with index => "%{Process_name}"

i am getting this error in output as it is not allowing the uppercase

[2020-11-26T22:55:19,623][ERROR][logstash.outputs.elasticsearch][main][6a5880b3351b6e202183bdc3669dd469ae35d8a1fec3a6b90ad56097065a3209] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"WEBSVR1", :routing=>nil, :_type=>"_doc"}, #LogStash::Event:0x64f3cc21], :response=>{"index"=>{"_index"=>"WEBSVR1", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"invalid_index_name_exception", "reason"=>"Invalid index name [WEBSVR1], must be lowercase", "index_uuid"=>"na", "index"=>"WEBSVR1"}}}}

Badger · November 26, 2020, 6:23pm

OK, you are going to have to put up with websvr1 as the index name.

filter { mutate { lowercase => [ "Process_name" ] } }

lokeshbabloo · December 18, 2020, 1:16pm

Hi @Badger yeah thats working. Thank you so much.

system · January 15, 2021, 1:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.