Is there a "stop" instruction in the block that skips to the next block?

mfloris · August 5, 2022, 11:24am

I want to split my filter block into separate files for better readability and easier maintenance and of course by doing that I cannot if-else through the various checks meaning that every input will go through all the filters.

In rsyslog there's a "stop" instruction that prevents this from happening but I cannot find a way to do the same thing in Logstash.

Something like this:

input {
  udp {
    port => 5514
  }
}

filter {
  if "thisToken" in [message] {
    json {
    source => "message"
    add_tag => ["this"]
   }
   stop  #<------------ how?

  if "thatToken" in [message] {
    json {
    source => "message"
    add_tag => ["that"]
   }
   stop #<------------ how?
}

output {
  file {
    path => "/var/log/logstash/output.log"
  }  
}

leandrojmp · August 5, 2022, 12:31pm

No, that is not possible.

Every event will go through all the conditionals you have, but this is irrelevant as this has little to no impact in the performance.

I have the same scenario, configuration split in multiple files with conditonals, and I have no issues.

system · September 2, 2022, 12:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.