IF conditional not dropping field

Sjaak01 · January 19, 2018, 8:46am

Hi,

I'm trying to filter out some data but for some reason the conditional I'm using isn't working. I'm using a similar config for another log and there it's working fine.

I also tried putting the conditional after renaming the fields in case child fields somehow where causing the issue but that isn't working either. What am I doing wrong?

filter {
  if [type] == "netflow" {

  if [netflow][l4_src_port] == "8888" {
     drop { }
  }

  if [netflow][l4_dst_port] == "8888" {
     drop { }
  }

     mutate {
     add_field => { "location" => "A" }

rename => { "[netflow][ipv4_dst_addr]" => "ipv4_dst_addr" }
rename => { "[netflow][ipv4_src_addr]" => "ipv4_src_addr" }
rename => { "[netflow][l4_src_port]" => "l4_src_port" }
rename => { "[netflow][l4_dst_port]" => "l4_dst_port" }
rename => { "[netflow][out_bytes]" => "out_bytes" }
rename => { "[netflow][in_bytes]" => "in_bytes" }
rename => { "[netflow][in_bytes]" => "in_bytes" }
rename => { "[netflow][protocol]" => "protocol" }

     }


  mutate {
    remove_field => [ "@version", "host", "netflow" ]
  }
 }
}

magnusbaeck · January 22, 2018, 9:24pm

As discussed in another thread the problem is probably that you're double-quoting the port numbers.

system · February 19, 2018, 9:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Conditionals not working on numeric fields Logstash	3	453	February 21, 2018
Filter if condition in Logstash Logstash	8	19412	July 24, 2019
If condition working but not else Logstash	6	1578	May 3, 2019
Logstash conditional not being evaluated Logstash	3	375	October 4, 2019
Logstatsh Conditional Filter is not working Logstash elastic-stack-monitoring	3	300	April 19, 2022

IF conditional not dropping field

Related topics