Logstash compare field with quotedstring fails

Hi,
I'm parsing modsecurity messages from apache error log, one of the fields i get is ruleid that is parsed with a grok filter using the pattern QUOTEDSTRING. So in the field for instance i get a string with quotes: ""90999""
When the value es 90999 i want to taker further action, but depending on how i write the "if" it works or not:

if [ruleid] == "90999" {
    # never gets into here even when ruleid is 90999
}

if [ruleid] == "\"90999\"" {
    # never gets into here even when ruleid is 90999
}

if [ruleid] =~ /\"90999\"/ {
    # now it works and when ruleid is 90999 it gets into the if
}

However third option that is working is not as precesite as first or second. Does anyone have an idea why second is not working?

Here is a summary of the document:

{
  "_index": "........",
  "_type": "_doc",
  "_id": "11qAWXoBgAYQIH4y4XnX",
  "_version": 1,
  "_score": null,
  "_source": {
    "type": "apache_error",
.........
    "ruleid": "\"90999\"",
    "ruletag4": "\"event-correlation\"",
    "modsecmessage": "Pattern match \"403\" at RESPONSE_STATUS.",
......
}

thanks

Feels like a bug to me.

if [ruleid] == '"90999"' 

works just fine.

Thanks! that worked!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.