If conditional statement field source

elaair · June 28, 2017, 5:21am

I have defined a simple parser and would like to setup a if statement in log stash.conf to have a grok match on one of the fields. I am working towards having many log sources but am starting with only one. I have a field %{WORD:process_name} and am wondering if I can use process_name in an if statement like this if [process_name == "dhcpd" {
Will this work?
Logstash.conf
input {

file {
path => [ "/var/log/dhcpd.log" ]
type => "syslog"
}
} #Close input

filter {

if [process_name] == "dhcpd" {
grok {
patterns_dir => "/home/wschroed/logstash-5.4.1/patterns/"
match => { "message" => "%{270617DHCPD}" }
} #Close grok

} # close if

   } # Close filter

output {
elasticsearch { hosts => ["10.0.1.146:9200"] }
}

Grok
270617DHCPD %{SYSLOGTIMESTAMP:date}%{SPACE}%{HOSTNAME:device_hostname}%{SPACE}%{DAEMON:process_name}%{SPACE}%{ACTION:dhcp_request}%{SPACE}%{WORD:toss}%{SPACE}%{IP:src_IP}%{SPACE}%{WORD:toss}%{SPACE}%{COMMONMAC:src_mac}%{SPACE}(%{HOSTNAME:src_hostname})%{SPACE}%{WORD:toss}%{SPACE}%{WORD:device_interface}

magnusbaeck · June 28, 2017, 5:44am

if [process_name] == "dhcpd" {

This is syntactically correct but won't work in this particular case since the process_name field is created by the grok filter inside the conditional. It's a catch-22 situation.

system · July 26, 2017, 5:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.