My logstash config as follow,I want to output only when the field a in the arr. I think the condition in the output is always true.
input {
generator {
message => '{"a":111}'
codec => json
add_field => { "arr" => [111,222,333] }
count => 1
}
}
output {
if [a] in [arr] {
stdout {codec => rubydebug}
}
}
But when I run logstash,I find there is nothing output
[root@10-205-205-105 logstash-test-7.14.0]# bin/logstash -f config/demo.conf
Using JAVA_HOME defined java: /vdb/jdk-11
WARNING, using JAVA_HOME while Logstash distribution comes with a bundled JDK
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
/vdb/logstash-test-7.14.0/vendor/bundle/jruby/2.5.0/gems/bundler-1.17.3/lib/bundler/rubygems_integration.rb:200: warning: constant Gem::ConfigMap is deprecated
Sending Logstash logs to /vdb/logstash-test-7.14.0/logs which is now configured via log4j2.properties
[2021-09-04T15:22:37,652][INFO ][logstash.runner ] Log4j configuration path used is: /vdb/logstash-test-7.14.0/config/log4j2.properties
[2021-09-04T15:22:37,666][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.14.0", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11+28 on 11+28 +indy +jit [linux-x86_64]"}
[2021-09-04T15:22:38,137][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2021-09-04T15:22:39,868][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9601}
[2021-09-04T15:22:40,904][INFO ][org.reflections.Reflections] Reflections took 113 ms to scan 1 urls, producing 120 keys and 417 values
[2021-09-04T15:22:42,202][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["/vdb/logstash-test-7.14.0/config/demo.conf"], :thread=>"#<Thread:0x13804740 run>"}
[2021-09-04T15:22:43,160][INFO ][logstash.javapipeline ][main] Pipeline Java execution initialization time {"seconds"=>0.95}
[2021-09-04T15:22:43,194][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
[2021-09-04T15:22:43,264][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2021-09-04T15:22:43,474][INFO ][logstash.javapipeline ][main] Pipeline terminated {"pipeline.id"=>"main"}
[2021-09-04T15:22:43,861][INFO ][logstash.pipelinesregistry] Removed pipeline from registry successfully {:pipeline_id=>:main}
[2021-09-04T15:22:43,919][INFO ][logstash.runner ] Logstash shut down.
Then I remove the if condition run again:
output {
# if [a] in [arr] {
stdout {codec => rubydebug}
# }
}
{
"@timestamp" => 2021-09-04T07:24:40.521Z,
"a" => 111,
"arr" => [
[0] "111",
[1] "222",
[2] "333"
],
"@version" => "1",
"host" => "10-205-205-105",
"sequence" => 0
}
I noticed that the item type in 'arr' field is string, but the 'a' field is integer. I guess maybe the type is not match cause the if condition is false, so I change the type of 'a' to string.
input {
generator {
message => '{"a":"111"}'
codec => json
add_field => { "arr" => [111,222,333] }
count => 1
}
}
output {
if [a] in [arr] {
stdout {codec => rubydebug}
}
}
The if condition is true, and the console print the message
{
"a" => "111",
"sequence" => 0,
"arr" => [
[0] "111",
[1] "222",
[2] "333"
],
"@version" => "1",
"@timestamp" => 2021-09-04T07:29:34.794Z,
"host" => "10-205-205-105"
}
But my input message field type is a integer(in json format) and I need check if in some values. Is there have some solutions ?
Sorry for any mistakes. English is not my native language