Kv filter doubts

Arun_Murugappan · June 21, 2018, 12:27pm

Upon filtering the fields in kvs, can if or any other conditional statemnts be used on the keys and values. If so, how?

magnusbaeck · June 21, 2018, 12:28pm

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html

Arun_Murugappan · June 21, 2018, 1:45pm

Hi Magnus but in the if statements how do you specify the keys/values as a condition

Arun_Murugappan · June 21, 2018, 1:49pm

Let say the snippet is "error":"1" , "usrname:"tom" If i pass it across kv fliter i get all these four fields separately. Now i want to specify if the error is 1, then network is down, error is 2 sotware is out dated (just for an example); then how do i use the use if statemnt after writinga a kv filter

magnusbaeck · June 21, 2018, 1:51pm

There are several examples of just that in the Conditionals section of the page I linked to.

rcowart · June 21, 2018, 2:05pm

For an enumeration such as your example you can use the translate filter.

Arun_Murugappan · June 25, 2018, 7:18am

if conditions works fine with the most. But if followed by a key , it doesnt work.

Arun_Murugappan · June 25, 2018, 7:20am

can if statments be used in the filter section but outside the mutate section.?

magnusbaeck · June 25, 2018, 7:51am

if conditions works fine with the most. But if followed by a key , it doesnt work.

I don't understand what you mean. Please always give examples instead of describing things with words.

can if statments be used in the filter section but outside the mutate section.?

Yes.

Arun_Murugappan · June 25, 2018, 10:06am

I tried to use else statement in filter section. It threwan error.

Arun_Murugappan · June 25, 2018, 10:06am

thanks

Arun_Murugappan · June 25, 2018, 10:08am

error reads as "Coudnt find any plug in named else"

magnusbaeck · June 25, 2018, 10:26am

error reads as "Coudnt find any plug in named else"

Then you used the wrong syntax, got your braces mixed up, or something else.

Arun_Murugappan · July 3, 2018, 9:27am

yes i have mixed up with double quotes

Arun_Murugappan · July 3, 2018, 9:30am

Hi Magnus

How do i make a search case insensitive.

For example, The input text is as follows : if statuscode=001 or StatusCode=001, StaTUSCode=001. I have to design a filter that can pick up any combination of statuscode irrrespective of its case.

magnusbaeck · July 3, 2018, 9:56am

Wouldn't the kv filter's transform_key option help?

Arun_Murugappan · July 3, 2018, 10:26am

When i used transform_key, i obtained the following error

Unknown setting 'transform_key' for kv {:level=>:error}
Error: Something is wrong with your configuration. {:level=>:error}

magnusbaeck · July 3, 2018, 10:57am

You need to upgrade your kv plugin. If your version of Logstash is too old you may have to upgrade Logstash as well.

Arun_Murugappan · July 3, 2018, 11:28am

is there a command to upgade kvplugin and logstash . Is the Upgrading kv plugin is different from upgrading logstash?

magnusbaeck · July 3, 2018, 1:33pm

The Logstash documentation describes how to upgrade individual plugins.