I have different filters for different fields in the messages and separate them with if statements. Now I have been trying to add one final section where none of the logs match and try to filter these through generic fields. I have tried with the else statement however this adds the No_Filter to all logs. Could someone maybe assist on how to add a final filter for all logs that do not match the initial one? Here is a shortened example:
The else block only applies to the list if block, i.e. any event not matching that conditional is going to get the No_Filter tag. You need to follow this pattern:
Thank you for the response. When adding a tag with the if statements once the else is hit all logs are tagged with the No_Filter. Maybe I am doing it wrong, here is what I did:
`filter {
if "10.10.10.12" in [message] {
mutate {
add_tag => "JUNIPER"
}
}
if [message] =~ "RT_FLOW_SESSION_CLOSE" {
mutate {
add_tag => "FLOWCLOSE"
}
}
if [message] =~ "RT_FLOW_SESSION_DENY" {
mutate {
add_tag => "FLOWDENY"
}
}
if [message] =~ "FLOW_REASSEMBLE_FAIL" {
mutate {
add_tag => "FLOWFAIL"
}
}
if [message] =~ "RT_SCREEN*" {
mutate {
add_tag => "RT_SCREEN"
}
}
else if [message] =~ "sshd" {
mutate {
add_tag => "sshd"
}
}
else {
mutate {
add_tag => "No_Filter"
}
}'
You need to insert "else" before "if" in all places except the first "if". As it stands, all events except RT_SCREEN and sshd ones are going to get the No_Filter tag.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.