If statement incorrectly matches wildcard


I have the following piece of code and noticed that for some reason when the IP is in the 192.168.150.* range, both dev and test are matched. If the IP is in the 192.168.1.* range it correctly matches only dev.

If the IP is in the 192.168.0.* range (and the other IP still in the 150.* range) the same issue does not occur and int_lan is only dev or test.

Based on this I'm guessing the wildcard is applied after 192.168.1* and not after the third octed like I want.

  if [src_addr] =~ "192.168.150.*" {
       mutate {
        add_field => { "int_lan" => "test" }

  if [src_addr] =~ "192.168.1.*" {
       mutate {
        add_field => { "int_lan" => "dev" }

You are right :slight_smile:

In fact, with =~ you are not using wildcards but a regular expression comparison.

If you don't want to invest more time learning it, these are the minimum hints:

. will match exactly 1 character. It's "the wildard" for only 1 character no matter which type (letter, number, symbol, space, etc).
\. If you want to match the exact "point" character, you have to escape it.
* its a quantifier that means "zero or more occurrences" for the preceding element.

A quick way to write your desired conditions would be:

if [src_addr] =~ "192\.168\.150\..*" { #only matches "192.168.150." + whatever comes after.
if [src_addr] =~ "192\.168\.1\..*" { #only matches "192.168.1." + whatever comes after.
1 Like

Thank you.

I will read up on regular expressions. Your explanation makes things a lot more obvious already.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.