Logstash compare one field with multiple value (string)

Elastic Stack Logstash
1

Hi there,

This is the configuration I am using for debugging purpose.
The goal is basically to filter sources hosts to apply appropriate filter to the messages, and add a tag to distinguish them in elasticsearch.

input {
     syslog {
         port => 5114
     }
}

filter {
    # vtiger
    if [host] == "192.168.40.140" or [host] == "192.168.40.141"  {
        grok {
            match => { "message" => "%{COMBINEDAPACHELOG}"}
        }
        mutate {
            add_tag => ["vtiger"]
        }
    }
    # NetScaler
    else if [host] == "192.168.41.111" {
        grok {
            # AppFirewall - CEF mode ON
            match => { "message" => "%{NOTSPACE} %{NOTSPACE}(?<security_check>(APPFW_[^\s|]+))%{DATA}%{IP:clientip} %{NOTSPACE} %{WORD}=%{WORD:verb} %{WORD}=%{NOTSPACE:request} %{WORD}=%{GREEDYDATA:explanation} cn1=%{WORD} cn2=%{WORD} cs1=%{WORD:profile} %{GREEDYDATA} act=%{GREEDYDATA:action}"}
        }
        mutate {
            add_tag => ["NetScaler AppFw"]
            remove_tag => ["_grokparsefailure_sysloginput"]
            remove_field => ["facility","priority","severity"]
        }
    }
}

output {
     stdout { codec => rubydebug }
}

This configuration is working, but I find odd that I cannot simply write this :
if [host] == ("192.168.40.140" or "192.168.40.141")

If I do, an exception is triggered

The question is in the subject :slight_smile:
Maybe I am missing a point ?

2

Try if [host] == "192.168.40.140" or [host] == "192.168.40.141".

1 Like
3

This configuration is working, but I find odd that I cannot simply write this :
if [host] == ("192.168.40.140" or "192.168.40.141")

I don't know of a single programming language where this works the way you want it to. Another way of accomplishing what you want is this:

if [host] in ["192.168.40.140", "192.168.40.141"] {
4 Likes
4

Thanks @magnusbaeck I will do that.

I don't know of a single programming language where this works the way you want it to

Proof of concept in Python :

>>> toto = 4
>>> 
>>> if toto == (4 or 3):
...     print "It works"
... 
It works
>>> if toto == (2 or 3):
...     print "It works"
... 
>>>
5

Yes, that happened to work since 4 or 3 evaluates to 4. Try reversing the order:

$ python
Python 2.7.11 (default, Jan 11 2016, 21:04:40)
[GCC 5.3.1 20160101] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> toto = 4
>>> if toto == (3 or 4):
...     print "It works"
...
>>>
1 Like
6

Ah okay, Thanks for pointing that out !