Issues with if statement, grok, and mutate


(Eric) #1

I'm having issues with a conditional statement. I have a grok filter used to parse through a dataset, of which a field named domain will be created. Then, I want a regex conditional to check if that field matches %{HOST} and if it does, use mutate to add_field a new field "hostname" => "%{domain}"

However, when parsed the new field is not created.

When explicitly added to the grok filter as an add_field line, it works. However, I won't be able to run a verification check on it.

Working version:

filter {
    if [dataType] == "domainIQ" {
    grok {
        # Main regex
        match => [ "message", "\A%{HOST:domain},%{IPV4:domainIP},%{IPV4:ip.subnet},([-]||(%{HOST:mx})),([-]||(%{IPV4:mxIP})),([-]||(?<dns>[a-zA-Z0-9.]+)),\"?([Uu]nknown|(?<isp>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nknown|(?<ispCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<ispRegion>([a-zA-Z]+)|([a-zA-Z]{2}))),\"?([Uu]nknown|(?<ispCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?,\"?([Uu]nknown|(?<domainIPorg>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nkown|(?<domainOrgCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<domainOrgRegion>[a-zA-Z0-9 ]+)),\"?([Uu]nknown|(?<domainOrgCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?" ]

        add_field => { "hostname" => "%{domain}" }
            add_field => { "dataSource" => "http://www.domainiq.com/bulk_whois_ip" }
            tag_on_failure => [ "_grokparsefailure", "1003_filter-domainiq.conf" ]
    }
    }
}

Non-working Version 1:

filter {
    if [dataType] == "domainIQ" {
    grok {
        # Main regex
        match => [ "message", "\A%{HOST:domain},%{IPV4:domainIP},%{IPV4:ip.subnet},([-]||(%{HOST:mx})),([-]||(%{IPV4:mxIP})),([-]||(?<dns>[a-zA-Z0-9.]+)),\"?([Uu]nknown|(?<isp>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nknown|(?<ispCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<ispRegion>([a-zA-Z]+)|([a-zA-Z]{2}))),\"?([Uu]nknown|(?<ispCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?,\"?([Uu]nknown|(?<domainIPorg>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nkown|(?<domainOrgCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<domainOrgRegion>[a-zA-Z0-9 ]+)),\"?([Uu]nknown|(?<domainOrgCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?" ]

        #add_field => { "hostname" => "%{domain}" }
        add_field => { "dataSource" => "http://www.domainiq.com/bulk_whois_ip" }
        tag_on_failure => [ "_grokparsefailure", "1003_filter-domainiq.conf" ]
    }
        if [domain] =~ "%{HOST}" { mutate { add_field => { "hostname" => "%{domain}" }}}
        if [domainIP] =~ "%{IPV4}" { mutate { add_field => { "ip" => "%{domainIP}" }}}
    
        if [mx] =~ "%{HOST}" { mutate { add_field => { "hostname" => "%{mx}" }}}    
        if [mxIP] =~ "%{IPV4}" { mutate { add_field => { "ip" => "%{mxIP}" }}}
    }
}

Non-working Version 2:

filter {
    if [dataType] == "domainIQ" {
    grok {
        # Main regex
        match => [ "message", "\A%{HOST:domain},%{IPV4:domainIP},%{IPV4:ip.subnet},([-]||(%{HOST:mx})),([-]||(%{IPV4:mxIP})),([-]||(?<dns>[a-zA-Z0-9.]+)),\"?([Uu]nknown|(?<isp>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nknown|(?<ispCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<ispRegion>([a-zA-Z]+)|([a-zA-Z]{2}))),\"?([Uu]nknown|(?<ispCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?,\"?([Uu]nknown|(?<domainIPorg>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nkown|(?<domainOrgCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<domainOrgRegion>[a-zA-Z0-9 ]+)),\"?([Uu]nknown|(?<domainOrgCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?" ]

        #add_field => { "hostname" => "%{domain}" }
        add_field => { "dataSource" => "http://www.domainiq.com/bulk_whois_ip" }
        tag_on_failure => [ "_grokparsefailure", "1003_filter-domainiq.conf" ]
    }
    }
}

filter {
    if [dataType] == "domainIQ" {
        if [domain] =~ "%{HOST}" { mutate { add_field => { "hostname" => "%{domain}" }}}
        if [domainIP] =~ "%{IPV4}" { mutate { add_field => { "ip" => "%{domainIP}" }}}
    
        if [mx] =~ "%{HOST}" { mutate { add_field => { "hostname" => "%{mx}" }}}    
        if [mxIP] =~ "%{IPV4}" { mutate { add_field => { "ip" => "%{mxIP}" }}}
    }
}

(system) #2