Is there a "stop" instruction in the block that skips to the next block?

mfloris · August 5, 2022, 11:24am

I want to split my filter block into separate files for better readability and easier maintenance and of course by doing that I cannot if-else through the various checks meaning that every input will go through all the filters.

In rsyslog there's a "stop" instruction that prevents this from happening but I cannot find a way to do the same thing in Logstash.

Something like this:

input {
  udp {
    port => 5514
  }
}

filter {
  if "thisToken" in [message] {
    json {
    source => "message"
    add_tag => ["this"]
   }
   stop  #<------------ how?

  if "thatToken" in [message] {
    json {
    source => "message"
    add_tag => ["that"]
   }
   stop #<------------ how?
}

output {
  file {
    path => "/var/log/logstash/output.log"
  }  
}

leandrojmp · August 5, 2022, 12:31pm

No, that is not possible.

Every event will go through all the conditionals you have, but this is irrelevant as this has little to no impact in the performance.

I have the same scenario, configuration split in multiple files with conditonals, and I have no issues.

system · September 2, 2022, 12:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Stop filter processing of the event on condition match and jump to output Logstash	3	300	June 23, 2022
If _grokparsefailure break condition Logstash	2	3455	April 4, 2018
Skip to end of filter if the grok pattern does not match Logstash	3	798	March 20, 2021
How to exclude bad output (lines not matching 'grok' pattern) from logstash? Logstash	9	22908	November 4, 2022
Stop Logstash with a Filter or Ruby-Code Logstash	4	844	February 8, 2021

Is there a "stop" instruction in the block that skips to the next block?

Related Topics