If Else condition based on input log lines in logstash

Elastic Stack Logstash
1

Hi There,

I would like to write a logstash config file with an if else condition.

line 1:
"Severity","ThreadID","Date","Time","Application","Message"

GROK for Line 1:
%{DATA:Severity}","%{DATA:ThreadID}","%{DATA:Date}","%{DATA:Time}","%{DATA:Application}","%{GREEDYDATA:Message}

line 2:
"Information","jrpp-0","01/24/13","00:29:50",,"[Workflows] Demo: Begin"

GROK for Line 2:
%{WORD:Severity}","%{DATA:ThreadID}","%{DATA:date}","%{DATA:time}",,"%{GREEDYDATA:message}

I want to ignore the line one logs.

could you please help me to write this logstash.conf file.

filter

{
grok {

    match => ["message", "%{WORD:Severity}","%{DATA:ThreadID}","%{DATA:date}","%{DATA:time}",,"%{GREEDYDATA:message}"]

}

mutate { add_field => { "datetime" => "%{date} %{time}" } }

date {
match => [ "datetime", "YY-MM-dd HH:mm:ss" ]
timezone => "Etc/UCT"
}
}

thanks in advance.

2

Hi @sudo-ranjith ,
You can use below code:

In first if condition you can use unique word which is present in all log line1 but not in log line2.

for else if condition you can use unique word which is present in all log line2 but not in log line1.

if "Application" in [message]  {
        drop { }
}
else if "Workflows" in [message]{
grok{
	match => { "message" => "%{WORD:Severity}","%{DATA:ThreadID}","%{DATA:date}","%{DATA:time}",,"%{GREEDYDATA:message}" }
}
}
1 Like
3

If you want an option which is not directly related to the content of the lines

filter {
  grok {
    match => {"message" => '%{WORD:Severity}","%{DATA:ThreadID}","%{DATA:date}","%{DATA:time}",,"%{GREEDYDATA:message}'}
  }
}

output {
  if "_grokparsefailure" not in [tags] {
    elasticsearch { ... }
  }
}
1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.