IF condition on the beginning of a log line

Ksugiu · June 13, 2017, 3:36pm

Hi all :),

Happy to be new to ELK. ( 2 days )
I would like to know how to make a condition on the beginnig of a log line.

For exemple :
This is my log :
2017-05-31 12:09:50,070 10885 INFO openstack_auth.views Logging out user "admin".

I have already parsed my log file, and i collect just the log message ("Logging out user "admin".") in LOGMESSAGE variable and i would like to make a condition like this :


if [module] == "openstack_auth.forms" AND "LOGMESSAGE BEGIN BY WORD Logging"

{

// My code

}

I don't know how to realize the { AND "LOGMESSAGE BEGIN BY WORD Logging" } condition...

Can someone tell me how to do ?

Thx for your help

Kryten · June 13, 2017, 7:43pm

Hi @Ksugiu

If, as you say, you have saved the:-

Logging out user "admin"

String into a field named "logmessage", then you could do something like:-

if [module] == "openstack_auth_forms" and [logmessage] =~ /^Logging.*/ {

   <do stuff>

}

Ksugiu · June 14, 2017, 7:04am

Hi Kryten,

Thx for your reply.
It's exactlly what i was looking for

system · July 12, 2017, 7:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.