Logstash and logical or

KaPBaJIOJI · December 13, 2021, 4:29am

Hello everyone
I try to started config logstash
Work config

filter {
    # grok log lines by program name (listed alpabetically)
    if [program] =~ /^postfix.*\/anvil$/ {
        grok {
            patterns_dir   => "/etc/logstash/patterns.d"
            match          => [ "message", "^%{POSTFIX_ANVIL}$" ]
            tag_on_failure => [ "_grok_postfix_anvil_nomatch" ]
            add_tag        => [ "_grok_postfix_success" ]
        }
    }

I can just add a block with postfix-new, but I don't want to complicate the config
i need add if [program] =~ /^postfix./anvil$/ or /^postfix-new./anvil$/
how can I get both values to be filtered. Tried adding quotes brackets but logstash won't start.
Thanks for help

KaPBaJIOJI · December 13, 2021, 4:33am

/^postfix*.*/anvil$/
would such a solution filter both queries?

Badger · December 13, 2021, 5:11pm

Yes. A more specific alternative would be to allow zero or more -new in the expression: /^postfix(-new)?\/anvil$/

If logstash does not start then tell us what error message it logs.

KaPBaJIOJI · December 16, 2021, 3:43am

Thanks for the answer, added to the config, it works without problems, only I haven't checked it with (-new) yet, but I think everything will be fine

system · January 13, 2022, 3:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.