If statement in grok filter

shwesinhan · December 18, 2017, 9:18am

hi everyone!

is there anyway to check aws logstream name in logstash grok filter?

eg:

filter {	
	if "cloudwatch_logs.log_stream" == "TEST1" {  
		grok {
			# type1			
			match => { "message" => [ "^(?<log_timestamp>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{1,3}).*?PROJ1(?<threadno>\d+).*%{WORD:log_level}.*?(?<session_id>\w+)\s{0,}:::\s{0,}RECEIVED\sDATA\s{0,}:"]}
			add_field => { "project_type" => "PROJ1" }
			add_field => { "transaction_type" => "TYPE1" }
		}
		
		grok {
			# type2
			match => { "message" => [ "^(?<log_timestamp>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{1,3}).*?(?<threadno>\d+).*%{WORD:log_level}.*?PROJ2\s+:\s+(?<session_id>\w+)\s{0,}:::\s{0,}\sRequest\s{0,}:"]}
			add_field => { "project_type" => "PROJ2" }
			add_field => { "transaction_type" => "TYPE2" }
		}	
	}
	
	else if [cloudwatch_logs.log_stream] == "TEST2" {  		
		.....	
	}

      else if [cloudwatch_logs.log_stream] == "TEST3" {  		
		.....	
	}
}

magnusbaeck · December 18, 2017, 9:28am

Yes.

You're probably referencing the field name in the wrong way. See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references for how to reference nested fields.

shwesinhan · December 18, 2017, 10:27am

thank you @magnusbaeck
it works!

system · January 15, 2018, 10:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
If conditional statement field source Logstash	2	1850	July 26, 2017
Conditionals within filter using fields generated by cloudwatch logs plugin Logstash	3	1179	August 15, 2018
Grok filter if [type] Logstash	5	6103	January 16, 2017
Logstash Filter If loop Logstash	2	100	February 27, 2024
If Else in logstash filter Logstash	7	1715	November 3, 2020

If statement in grok filter

Related topics