Json field check filter

paano · January 25, 2019, 6:09am

in logstash, adding a filter check based on key field to add tag does not work.

sample json:

{
"eventSource" : { "objectName": "EVENT.Q1",
                    "objectType" : "Queue" },
"eventType" : {
    "name" : "Command Event",
    "value" : 46
  },
"eventReason" : {
    "name" : "Command PCF",
    "value" : 2413
  }
}

filter

filter {
grok {
	   match => [
      "source", "%{GREEDYDATA}/%{WORD:filename}.%{GREEDYDATA}.%{WORD:logext}"
    ]
  }

    if ([logext] == "json") {		

      if ("[message][evetType][value]" == "46") {			
				json {
               source => "message"
          }
				mutate {
						add_tag => [ "CommandEvent" ]
					}
			}
}
	mutate {
				remove_field => ["filename","logext"]
			}
		}

A_B · January 25, 2019, 10:58am

I took just the mutate part and this works for me

# cat ls-tag.conf
input { stdin { codec => "json" } }
#input { stdin { } }

filter {
  if [eventType][value] == 46 {
    mutate {
      add_tag => [ "CommandEvent" ]
    }
  }
}
output {
  stdout { codec => rubydebug }
}

You have at least a typo in if ("[message][evetType][value]" == "46") (should be eventType)

Over all your filter section seems overly complicated to me but maybe I don't know enough about your implementation...

One more thing... I usually test using stdin as you can see from above. You can start Logstash with the above config file like

path/to/logstash_folder/bin/logstash -f /path/to/test.conf

My output looked like

# logstash-6.3.1/bin/logstash -f ls-tag.conf
Sending Logstash's logs to /root/tmp/logstash-6.3.1/logs which is now configured via log4j2.properties
[2019-01-25T10:55:15,541][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-01-25T10:55:15,632][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.3.1"}
[2019-01-25T10:55:16,075][INFO ][logstash.pipeline        ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>12, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-01-25T10:55:16,104][INFO ][logstash.inputs.stdin    ] Automatically switching from json to json_lines codec {:plugin=>"stdin"}
The stdin plugin is now waiting for input:
[2019-01-25T10:55:16,127][INFO ][logstash.pipeline        ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x207402b5@/root/tmp/logstash-6.3.1/logstash-core/lib/logstash/pipeline.rb:245 sleep>"}
[2019-01-25T10:55:16,140][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-01-25T10:55:16,197][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9601}
{"eventSource":{"objectName":"EVENT.Q1","objectType":"Queue"},"eventType":{"name":"Command Event","value":46},"eventReason":{"name":"Command PCF","value":2413}}
{
    "eventSource" => {
        "objectType" => "Queue",
        "objectName" => "EVENT.Q1"
    },
           "tags" => [
        [0] "CommandEvent"
    ],
           "host" => "mg1500.log0.mad1.bwcom.net",
     "@timestamp" => 2019-01-25T10:55:21.193Z,
      "eventType" => {
        "value" => 46,
         "name" => "Command Event"
    },
    "eventReason" => {
        "value" => 2413,
         "name" => "Command PCF"
    },
       "@version" => "1"
}

paano · February 6, 2019, 11:20pm

Thanks. I did not realize the typo.

system · March 6, 2019, 11:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.