Issue with conditional in output definition

wanexa · January 31, 2019, 4:46pm

trying to put two conditions on my output for grok or geopip failure
I tried :
if ("_grokparsefailure" not in [tags] or "_geoip_lookup_failure" not in [tags])
if "_grokparsefailure" not in [tags] or "_geoip_lookup_failure" not in [tags]
if "_grokparsefailure" or "_geoip_lookup_failure" not in [tags]
if ("_grokparsefailure" or "_geoip_lookup_failure" not in [tags])
if "_grokparsefailure" not in [tags] {
...
}
else if "_geoip_lookup_failure" not in [tags] [
..
}

stiil get "Invalid index name [xxx,_geoip_lookup_failure-2019.01.31]

Can you help me please

Badger · January 31, 2019, 4:53pm

You cannot have a comma in an index name.

You can see what is not allowed by looking at the tests (also here).

wanexa · January 31, 2019, 4:55pm

I know that s not the point I talk about conditional , works with if "_grokparsefailure" not in [tags] {
trying with two conditions!

Badger · January 31, 2019, 5:04pm

OK, so that evaluates to false on events that have both tags, otherwise true. Is that what you want? If not, what do you want?

wanexa · January 31, 2019, 5:07pm

so that evaluates to false on events that have both tags --> not both tags at least one of them

Badger · January 31, 2019, 5:10pm

If a document has _grokparsefailure but not _geoip_lookup_failure then that evaluates to (false or true), which evaluates to true.

Perhaps you want

if ("_grokparsefailure" in [tags] or "_geoip_lookup_failure" in [tags]) {
    # One or both
} else {
    # Neither
}

wanexa · January 31, 2019, 5:13pm

I want if ("_grokparsefailure" not in [tags] or "_geoip_lookup_failure" not in [tags]) --> don t work !! stiil get "Invalid index name [xxx,_geoip_lookup_failure-2019.01.31]
"or" in the condition seems not working with "(" or not

wanexa · January 31, 2019, 6:05pm

Ok the problem is logstash can't have two "not in" conditions
if ("_grokparsefailure" not in [tags] or "_geoip_lookup_failure" not in [tags])--> don t work

if "_grokparsefailure" not in [tags] { ... } if "_geoip_lookup_failure" not in [tags] [ .. }--> dont work

how to get rid of it ?

Badger · January 31, 2019, 6:24pm

This is not true. It may not work the way you want it to, but it works.

wanexa · January 31, 2019, 6:37pm

it s true it s not working
if ("_grokparsefailure" not in [tags] or "_geoip_lookup_failure" not in [tags])
try it and you ll see in logstash's output

system · February 28, 2019, 6:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.