If statement is failing to match for certain values.. pls help

Cdnvballer · December 3, 2019, 11:31pm

I have syslog network messages successfully parsed with logstash,
event 1 has [system][syslog][hostname]=10.20.0.3
event 2 has [system][syslog][hostname]=10.111.0.3

however the following statements fail to match for 10.111.x.x, and never uses the last else statement.
any ideas?

I'm trying to match as follows

   if   [system][syslog][hostname] =~ /10\.111\..*/  {
   mutate { 
                add_field    => { 
                          "[geoip][location][latitude]"      => "77.777777"
                          "[geoip][location][longitude]"      => "77.777777" 
                          } 
          }
      }  
   else if [system][syslog][hostname] =~ /10\.20\./ {
    mutate {
            add_field    => {
                    "[geoip][location][latitude]"      => "88.888888"
                    "[geoip][location][longitude]"      => "88.888888"
                    }
            }
    }    
   else {
    mutate {
                add_field    => {
                          "[geoip][location][latitude]"      => "99.999999"
                          "[geoip][location][longitude]"      => "99.999999"
                          }
                }
      }

Badger · December 3, 2019, 11:51pm

You are testing [system][syslog][hostname], not [syslog][system][hostname]

Cdnvballer · December 4, 2019, 12:03am

sorry, that was a typo .. I meant that the fields as matched by grok should be [system][syslog][hostname]
and discover console is showing this correctly

Cdnvballer · December 4, 2019, 9:24pm

issue resolved:

I changed all my match statements to use .* in the match

i.e.

"[system][syslog][hostname] =~ /10\.111\..*/"
"[system][syslog][hostname] =~ /10\.20\..*/"

all issues seemed to go away overnight... =) thx

system · January 1, 2020, 9:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.