hello. i have a logstash configuration file and i can parse input logs correctly. my question is: can i have conditions in my parsed data ? is this even possible in logastash config file ?
for example i want only odd sequence numbers to be stored, or something like this.
anyone has any idea?
this is a sample input log:
<38>2020-04-01T23:30:02 localhost prg00000[1234]: seq: 0000000096, thread: 0000, runid: 1585767601, stamp: 2020-04-01T23:30:02 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD
my configuration file:
input {
tcp {port => 9000}
udp {port => 9000}
}
filter {
dissect {
mapping => { "message" => "<%{pri}>%{ts} %{host} %{program}[%{pid}]: seq: %{seq}, thread: %{thread}, runid: %{runid}, stamp: %{stamp} %{message}"
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
}
and this is logstash output after parsing the log:
{
"@timestamp" => 2020-04-01T21:07:04.159Z,
"message" => "<38>2020-04-02T01:37:04 localhost prg00000[1234]: seq: 0000000002, thread: 0000, runid: 1585775222, stamp: 2020-04-02T01:37:04 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD",
"port" => 47958,
"@version" => "1",
"host" => "localhost",
"tags" => [
[0] "_grokparsefailure"
]
}
thank u 
i even didn't know there is such a thing like ruby and code in filter. it actually worked like this: