Hey folks,
I am a bit confused regarding use of if else constructs in logstash. I have the following config:
filter { if "apache_access" in [tags] { grok { match => { "message" => "%{HTTPD_COMMONLOG}" } } } if "apache_error" in [tags] { grok { match => { "message" => "%{HTTPD24_ERRORLOG}" } } } else { drop { } } }
What I want it to do is:
- if input has apache_access in tags, match it
- if input has apache_error in tags, match it
- else drop it
However the drop applies to anything that comes in. Even if something is matched in i.e. the apache_access if condition it still jumps to the else condition and drops the input.
This is not how I know If/Else from other programming languages. Is this a bug or the way it's supposed to work?
I know that there are workarounds, like adding a tag to any input in the beginning, removing it only after it's been successfully matched and dropping anything that still has the tag in the end but the construct above seems to be the most straight-forward way of accomplishing what I described.