If statement in grok filter

Elastic Stack Logstash
1

hi everyone!

is there anyway to check aws logstream name in logstash grok filter?

eg:

filter {	
	if "cloudwatch_logs.log_stream" == "TEST1" {  
		grok {
			# type1			
			match => { "message" => [ "^(?<log_timestamp>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{1,3}).*?PROJ1(?<threadno>\d+).*%{WORD:log_level}.*?(?<session_id>\w+)\s{0,}:::\s{0,}RECEIVED\sDATA\s{0,}:"]}
			add_field => { "project_type" => "PROJ1" }
			add_field => { "transaction_type" => "TYPE1" }
		}
		
		grok {
			# type2
			match => { "message" => [ "^(?<log_timestamp>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{1,3}).*?(?<threadno>\d+).*%{WORD:log_level}.*?PROJ2\s+:\s+(?<session_id>\w+)\s{0,}:::\s{0,}\sRequest\s{0,}:"]}
			add_field => { "project_type" => "PROJ2" }
			add_field => { "transaction_type" => "TYPE2" }
		}	
	}
	
	else if [cloudwatch_logs.log_stream] == "TEST2" {  		
		.....	
	}

      else if [cloudwatch_logs.log_stream] == "TEST3" {  		
		.....	
	}
}
2

Yes.

You're probably referencing the field name in the wrong way. See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references for how to reference nested fields.

1 Like
3

thank you @magnusbaeck
it works!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.