If Else condition based on input log lines in logstash

sudo-ranjith · June 29, 2021, 11:19am

Hi There,

I would like to write a logstash config file with an if else condition.

line 1:
"Severity","ThreadID","Date","Time","Application","Message"

GROK for Line 1:
%{DATA:Severity}","%{DATA:ThreadID}","%{DATA:Date}","%{DATA:Time}","%{DATA:Application}","%{GREEDYDATA:Message}

line 2:
"Information","jrpp-0","01/24/13","00:29:50",,"[Workflows] Demo: Begin"

GROK for Line 2:
%{WORD:Severity}","%{DATA:ThreadID}","%{DATA:date}","%{DATA:time}",,"%{GREEDYDATA:message}

I want to ignore the line one logs.

could you please help me to write this logstash.conf file.

filter

{
grok {

    match => ["message", "%{WORD:Severity}","%{DATA:ThreadID}","%{DATA:date}","%{DATA:time}",,"%{GREEDYDATA:message}"]

}

mutate { add_field => { "datetime" => "%{date} %{time}" } }

date {
match => [ "datetime", "YY-MM-dd HH:mm:ss" ]
timezone => "Etc/UCT"
}
}

thanks in advance.

mangeshmj1992 · June 29, 2021, 4:41pm

Hi @sudo-ranjith ,
You can use below code:

In first if condition you can use unique word which is present in all log line1 but not in log line2.

for else if condition you can use unique word which is present in all log line2 but not in log line1.

if "Application" in [message]  {
        drop { }
}
else if "Workflows" in [message]{
grok{
	match => { "message" => "%{WORD:Severity}","%{DATA:ThreadID}","%{DATA:date}","%{DATA:time}",,"%{GREEDYDATA:message}" }
}
}

Cad · June 30, 2021, 8:22am

If you want an option which is not directly related to the content of the lines

filter {
  grok {
    match => {"message" => '%{WORD:Severity}","%{DATA:ThreadID}","%{DATA:date}","%{DATA:time}",,"%{GREEDYDATA:message}'}
  }
}

output {
  if "_grokparsefailure" not in [tags] {
    elasticsearch { ... }
  }
}

system · July 28, 2021, 8:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.