If/CSV Filter not working

wwalker · September 17, 2018, 7:19pm

Running the below pipeline and my events are not being split into fields and the tag isn't being added. I would have to assume there is something wrong with my if statement but I'm not sure what. The tag Exchange is added by the filebeat agent and appears in the ElasticSearch output. The source field value is a partial match on a directory location that some of the files are being pulled from. No errors appear in the Logstash debug logs either.

  if "Exchange" in [tags] and [source] =~ "\\FrontEnd\\ProtocolLog\\SmtpReceive" {
    csv {
      source => "message"
      columns => [ "date","connector-id","session-id","sequence-number","local-endpoint","remote-endpoint","event","data","context" ]
      convert => {
       "date" => "date_time"
      }
      add_tag => ["FrontEnd SMTP Receive"]
    }
  }

wwalker · September 17, 2018, 8:47pm

It definitely appears to be my IF statement. The below is what I've modified it to but I am still not getting the tag applied to the events.

filter {
  if [tags] !~ "Exchange" {
  ...
  }
  else if [source] =~ "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\FrontEnd\\ProtocolLog\\SmtpReceive\\.*" {
    mutate {
      add_tag => ["FrontEnd SMTP Receive"]
    }
  }
}

I've also tried modifying the if statement to a regex without double quotes but it does not work either.

else if [source] =~ /^C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\FrontEnd\\ProtocolLog\\SmtpReceive\\.*/ {

system · October 15, 2018, 8:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.