I have a random log file which contain diff data, I have created fields in it using mutate filter, my if conditions are working but not my else conditions working.
log line : 90-50-31: ill ill you are You
if [ty] =~ "YOU" or "you" {
mutate {
gsub => [ "field", "[a-zA-Z]+" , "" ]
}
} else {
mutate { gsub => [ "field", "[0-9]+" , "" ] }
}
not any else is working, drop filter in else drops every thing and my data for next field becomes invisible
can you please paste whole config file
log line : 90-50-31: ill ill you are You
log line : 90-50-31: ill till you are You
log line : 90-50-31: ill end you are You
filter {
translate {
field => "[message]"
destination => "[matched]"
dictionary => [ "till", "drop",
"end", "drop" ]
exact => true
regex => true
}
if [matched] !~ "drop" {
drop {}
}
mutate {
copy => { "message" => "io" }
convert => { "io" => "string" }
add_field => { "field" => "%{io}"}
}
if [ty] =~ "YOU" or "you" {
mutate {
gsub => [ "field", "[a-zA-Z]+" , "" ]
}
} else {
mutate { gsub => [ "field", "[0-9]+" , "" ] }
}
}
every thing is working fine except any else statement, or give em any else working statement with conf file other than drop filter to get an idea
I would expect to get an error for that. If you want to match either YOU or you then you can use
if [ty] =~ /YOU|you/ {
If you want it to be case insensitive you can use
if [message] =~ /(?i:foo)/ {
thanks it worked 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.