can you please help me understand why this "if" is not working on this
path?
this path comes from filebeat to logstash:
"E:\OUM82\EGGED\TI_DS_FILES\INFASQLS_LOGS\INFASQLS-Extractor-legacy_BI_Repository-28072019.log"
if [log][file][path] =~ "INFASQL" {
mutate { add_field => { "extractor" => "INFASQLS" }}
}
there is no errors at all, any where...
If the mutate does not occur that suggests that the event does not have a [log][file][path] field. What does the event look like on the JSON tab in Kibana/Discover?
as u can see.. , it's exist..
i{
"_index": "filebeat-2019.07.28",
"_type": "_doc",
"_id": "hOFLOWwBWUXxYaxGvl65",
"_version": 1,
"_score": null,
"_source": {
"isReadForAlerting": "0",
"driveLetter": "E:",
"@timestamp": "2019-07-28T15:55:59.941Z",
"fields": {
"logtype": "log4net"
},
"sourceTimestamp": "2019-07-28 18:55:55",
"threadid": "394",
"customerFolder": "EGGED",
"rootFolder": "OUM82",
"input": {
"type": "log"
},
"@version": "1",
"loglevel": "INFO",
"message": "2019-07-28 18:55:55,394 INFO - Executing query (263) to: TI.SHD_DB_UI_ETL_DETAILS , ConnectionID: 102, Database: TI_EGGED17_Prod_82, Connection Name: legacy_BI_Repository, Tool Name: INFASQLS_POST_LINEAGE_GSP ",
"ecs": {
"version": "1.0.0"
},
"sourceMessage": "- Executing query (263) to: TI.SHD_DB_UI_ETL_DETAILS , ConnectionID: 102, Database: TI_EGGED17_Prod_82, Connection Name: legacy_BI_Repository, Tool Name: INFASQLS_POST_LINEAGE_GSP ",
"log": {
"offset": 5261690,
"file": {
"path": "E:\\OUM82\\EGGED\\TI_DS_FILES\\INFASQLS_LOGS\\INFASQLS-Extractor-legacy_BI_Repository-28072019.log"
}
},
"cloud": {
"instance": {
"name": "OctUpload",
"id": "768097b1-bfb9-4939-b99c-5337aede39ca"
},
"machine": {
"type": "Standard_DS13_v2"
},
"provider": "az",
"region": "westeurope"
},
"host": {
"architecture": "x86_64",
"os": {
"name": "Windows Server 2016 Datacenter",
"build": "14393.2608",
"family": "windows",
"version": "10.0",
"kernel": "10.0.14393.2608 (rs1_release.181024-1742)",
"platform": "windows"
},
"id": "d79c20df-4184-41a8-b95d-83669c8e3fbe",
"name": "OctUpload",
"hostname": "OctUpload"
},
"tags": [
"beats_input_codec_plain_applied"
],
"agent": {
"hostname": "OctUpload",
"id": "83fb6261-5872-4d95-853a-44f2cc41d436",
"version": "7.0.0",
"ephemeral_id": "2c8821d5-13f8-442e-958e-5288fb36378d",
"type": "filebeat"
},
"isParserLog": "FALSE"
},
"fields": {
"@timestamp": [
"2019-07-28T15:55:59.941Z"
]
},
"highlight": {
"message": [
"2019-07-28 18:55:55,394 INFO - Executing query (263) to: TI.SHD_DB_UI_ETL_DETAILS , ConnectionID: 102, Database: TI_EGGED17_Prod_82, Connection Name: legacy_BI_Repository, Tool Name: @kibana-highlighted-field@INFASQLS_POST_LINEAGE_GSP@/kibana-highlighted-field@"
],
"customerFolder.keyword": [
"@kibana-highlighted-field@EGGED@/kibana-highlighted-field@"
]
},
"sort": [
1564329359941
]
}I cannot explain that. If I run with these filters
mutate { add_field => { "[log][file][path]" => "E:\OUM82\EGGED\TI_DS_FILES\INFASQLS_LOGS\INFASQLS-Extractor-legacy_BI_Repository-28072019.log" } }
if [log][file][path] =~ "INFASQL" {
mutate { add_field => { "extractor" => "INFASQLS" }}
}
then the extractor field does get added.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.