Hi
Having the latest logstash-7.7.1-1.noarch from the official repo (baseurl=https://artifacts.elastic.co/packages/7.x/yum)
In the output section the
if "_grokparsefailure" not in [tags]
works fine.
But any of the
if [event][action] =~ /^logged/ or [event][action] =~ /^viewed/
if [event][action] == "logged"
if [event][action] in [ "logged", "viewed" ]
does not work at all.
What am I missing?
Need working example.
Thanks
It would be helpful to see your data. The field that you use in your condition probably doesn't exist or has a different value than you think.
I have only the one match clause for such a data:
"^Operator %{DATA:user.name} (?<event.action>logged)"
and as you can see it's impossible to make mistake.
Also I see in the kibana the parsed data:
event.action logged
If an any working config exists for a similar task I will go further.
Now after the day of fight i have doubts for a logstash possibilities 
So you've got a field [event.action], not [event][action]. (The latter would mean that there is a subfield action in event.)
It's interesting that
if [event.action] =~ /^logged/ or [event.action] =~ /^viewed/
works fine, but the same in:
if [event.action] in [ "logged", "viewed" ]
doesn't.
Those two tests are different.
if [event.action] in [ "logged", "viewed" ]
is equivalent to
if [event.action] == "logged" or [event.action] == "viewed"This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.