IF Statement With RegEx

Elastic Stack Logstash
1

Hi,

I'm using an IF statement with RegEx but it's never true and seems to skip the whole IF statement.

It doesn't get a far as "[message] =~ /(\QChanges\E)/" so I assume that probably doesn't work either as the first condition isn't met or wrong.

The part that isn't working is in Bold.

Please advise.

Thanks

Martin

example:
message string: "some text FIM more text"

filter {
if [type] == "acsc-main-alerts" {
mutate {
convert => { "eventtime" => "string" }
}
date {
match => [ "eventtime", "ISO8601" ]
remove_field => [ "eventtime" ]
}
if [message] =~ /\QFIM\E/ {
mutate {
add_field => { "severity" => "%{criticality}" }
}
if [message] =~ /(\QChanges\E)/ {
mutate {
add_field => { "acsctype" => "FIM Change" }
}
} else if [message] =~ /(\QErrors\E)/ {
mutate {
add_field => { "acsctype" => "FIM Error" }
}
}
}
}
}

2

\Q and \E are a feature of Java regexps. I do not believe Ruby regexps implement them, so it will expect the match them in the string. Why do you need them for a string like FIM?

3

Thanks for the reply.
I'm trying to match if the word FIM exist anywhere within the string i.e "some text FIM more text".

4

In that case \Q and \E are inappropriate. Just use

if [message] =~ /FIM/ ...
5

Mate,u cant use \Q and \E with this system.It is all valid till Java regexps...U cant expect it to run in every software..SO avoid using this as it is not gonna work..U can also find command guidelines from official site

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.