Hi,
I'm parsing modsecurity messages from apache error log, one of the fields i get is ruleid that is parsed with a grok filter using the pattern QUOTEDSTRING. So in the field for instance i get a string with quotes: ""90999""
When the value es 90999 i want to taker further action, but depending on how i write the "if" it works or not:
if [ruleid] == "90999" {
# never gets into here even when ruleid is 90999
}
if [ruleid] == "\"90999\"" {
# never gets into here even when ruleid is 90999
}
if [ruleid] =~ /\"90999\"/ {
# now it works and when ruleid is 90999 it gets into the if
}
However third option that is working is not as precesite as first or second. Does anyone have an idea why second is not working?
Here is a summary of the document:
{
"_index": "........",
"_type": "_doc",
"_id": "11qAWXoBgAYQIH4y4XnX",
"_version": 1,
"_score": null,
"_source": {
"type": "apache_error",
.........
"ruleid": "\"90999\"",
"ruletag4": "\"event-correlation\"",
"modsecmessage": "Pattern match \"403\" at RESPONSE_STATUS.",
......
}
thanks