If/Else not working as expected in filter

va1entin · April 16, 2018, 11:15am

Hey folks,

I am a bit confused regarding use of if else constructs in logstash. I have the following config:

filter {
  if "apache_access" in [tags] {
    grok {
        match => { "message" => "%{HTTPD_COMMONLOG}" }
    }
  }

  if "apache_error" in [tags] {
    grok {
        match => { "message" => "%{HTTPD24_ERRORLOG}" }
    }
  }
  else {
    drop { }
  }
}

What I want it to do is:

if input has apache_access in tags, match it
if input has apache_error in tags, match it
else drop it

However the drop applies to anything that comes in. Even if something is matched in i.e. the apache_access if condition it still jumps to the else condition and drops the input.

This is not how I know If/Else from other programming languages. Is this a bug or the way it's supposed to work?
I know that there are workarounds, like adding a tag to any input in the beginning, removing it only after it's been successfully matched and dropping anything that still has the tag in the end but the construct above seems to be the most straight-forward way of accomplishing what I described.

magnusbaeck · April 16, 2018, 11:27am

Your else block is only connected to the second conditional. You need this:

if ... {
  ...
} else if ... {
  ...
} else {
  ...
}

va1entin · April 16, 2018, 11:35am

Thank you very much, @magnusbaeck
That does exactly what I intended. I didn't know that the conditions have to connected like that.

system · May 14, 2018, 11:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.