I seem to be having issues with getting an if statement to function, below are the syntaxs I have tried on 6.2.3 but neither of them have an effect. The event is passing through but it's not getting tagged. I have not turned on debug yet...just wanting another set of eyes to verify syntax first or suggest a better method to accomplish this.
if [field] =~ "(1|2|3)" {
mutate {
add_tag => [ "tag1", "tag2" ]
}
}
if [field] in [ 1,2,3 ] {
mutate {
add_tag => [ "tag1", "tag2" ]
}
}Either one can be correct depending on what field contains.
Ya, I kinda figured that was coming, lol.
The field is the `event_id' field collected by the winlog beats agent. Looking at the JSON of the event, the field isn’t embedded in another field….so I am a bit lost on where the failure is. The exact config line looks like below. I'm also aware the json in the picture isn't going to match to the if statement below but where event ID does equal a value below, the tag isn't applied.
if [event_id] =~ "(529|530|531|532|533|534|535|536|537|538|539|4625|4771)" {
Okay, so the field contains an integer. Then the second suggestion you made should work fine and should be more efficient than the regexp-based option.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
