I'm having issues with a conditional statement. I have a grok filter used to parse through a dataset, of which a field named domain will be created. Then, I want a regex conditional to check if that field matches %{HOST} and if it does, use mutate to add_field a new field "hostname" => "%{domain}"
However, when parsed the new field is not created.
When explicitly added to the grok filter as an add_field line, it works. However, I won't be able to run a verification check on it.
Working version:
filter {
if [dataType] == "domainIQ" {
grok {
# Main regex
match => [ "message", "\A%{HOST:domain},%{IPV4:domainIP},%{IPV4:ip.subnet},([-]||(%{HOST:mx})),([-]||(%{IPV4:mxIP})),([-]||(?<dns>[a-zA-Z0-9.]+)),\"?([Uu]nknown|(?<isp>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nknown|(?<ispCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<ispRegion>([a-zA-Z]+)|([a-zA-Z]{2}))),\"?([Uu]nknown|(?<ispCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?,\"?([Uu]nknown|(?<domainIPorg>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nkown|(?<domainOrgCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<domainOrgRegion>[a-zA-Z0-9 ]+)),\"?([Uu]nknown|(?<domainOrgCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?" ]
add_field => { "hostname" => "%{domain}" }
add_field => { "dataSource" => "http://www.domainiq.com/bulk_whois_ip" }
tag_on_failure => [ "_grokparsefailure", "1003_filter-domainiq.conf" ]
}
}
}
Non-working Version 1:
filter {
if [dataType] == "domainIQ" {
grok {
# Main regex
match => [ "message", "\A%{HOST:domain},%{IPV4:domainIP},%{IPV4:ip.subnet},([-]||(%{HOST:mx})),([-]||(%{IPV4:mxIP})),([-]||(?<dns>[a-zA-Z0-9.]+)),\"?([Uu]nknown|(?<isp>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nknown|(?<ispCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<ispRegion>([a-zA-Z]+)|([a-zA-Z]{2}))),\"?([Uu]nknown|(?<ispCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?,\"?([Uu]nknown|(?<domainIPorg>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nkown|(?<domainOrgCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<domainOrgRegion>[a-zA-Z0-9 ]+)),\"?([Uu]nknown|(?<domainOrgCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?" ]
#add_field => { "hostname" => "%{domain}" }
add_field => { "dataSource" => "http://www.domainiq.com/bulk_whois_ip" }
tag_on_failure => [ "_grokparsefailure", "1003_filter-domainiq.conf" ]
}
if [domain] =~ "%{HOST}" { mutate { add_field => { "hostname" => "%{domain}" }}}
if [domainIP] =~ "%{IPV4}" { mutate { add_field => { "ip" => "%{domainIP}" }}}
if [mx] =~ "%{HOST}" { mutate { add_field => { "hostname" => "%{mx}" }}}
if [mxIP] =~ "%{IPV4}" { mutate { add_field => { "ip" => "%{mxIP}" }}}
}
}
Non-working Version 2:
filter {
if [dataType] == "domainIQ" {
grok {
# Main regex
match => [ "message", "\A%{HOST:domain},%{IPV4:domainIP},%{IPV4:ip.subnet},([-]||(%{HOST:mx})),([-]||(%{IPV4:mxIP})),([-]||(?<dns>[a-zA-Z0-9.]+)),\"?([Uu]nknown|(?<isp>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nknown|(?<ispCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<ispRegion>([a-zA-Z]+)|([a-zA-Z]{2}))),\"?([Uu]nknown|(?<ispCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?,\"?([Uu]nknown|(?<domainIPorg>[a-zA-Z0-9ÁÉÍÓÚ-áéíóu-ñÑ .,+'*&\\#~\-_(){}?=:/]+))\"?,\"?([Uu]nkown|(?<domainOrgCity>[a-zA-Z .]+))\"?,([Uu]nknown|(?<domainOrgRegion>[a-zA-Z0-9 ]+)),\"?([Uu]nknown|(?<domainOrgCountry>[a-zA-Z #]+|[a-zA-Z]{2}))\"?" ]
#add_field => { "hostname" => "%{domain}" }
add_field => { "dataSource" => "http://www.domainiq.com/bulk_whois_ip" }
tag_on_failure => [ "_grokparsefailure", "1003_filter-domainiq.conf" ]
}
}
}
filter {
if [dataType] == "domainIQ" {
if [domain] =~ "%{HOST}" { mutate { add_field => { "hostname" => "%{domain}" }}}
if [domainIP] =~ "%{IPV4}" { mutate { add_field => { "ip" => "%{domainIP}" }}}
if [mx] =~ "%{HOST}" { mutate { add_field => { "hostname" => "%{mx}" }}}
if [mxIP] =~ "%{IPV4}" { mutate { add_field => { "ip" => "%{mxIP}" }}}
}
}