Logstash - Comparing two fields

Raj_Kumar · April 12, 2017, 8:06am

Hi All,

I was trying to compare two fields of our windows events by creating a mutate filter ,but i couldn't get any results in elasticsearch, i checked the configuration ,it seems to be Ok.Could anyone help me on this

filter {
if "4,724" in [event_id] {
if [event_data][SubjectUserName] != [event_data][TargetUserName] {
mutate {
add_field => {
"match" => false
}
}
}
}
}

filter {
if "4,724" in [event_id] {
if [event_data][SubjectUserName] == [event_data][TargetUserName] {
mutate {
add_field => {
"match" => true
}
}
}
}
}

Any help would be really helpful

Thanks In Advance,
Raj

magnusbaeck · April 12, 2017, 8:23am

The

if "4,724" in [event_id] {

condition is most likely wrong. You should use

if [event_id] == 4724 {

or

if [event_id] == "4724" {

instead (depending on the data type of the event_id field).

Raj_Kumar · April 12, 2017, 8:24am

Thank you very much for your quick response

system · May 10, 2017, 8:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash - comparison 2 fields Logstash	3	595	January 11, 2022
Change a Number Field Value Logstash	12	972	July 2, 2019
Some problem of if and mutate in logstash filter Logstash	7	457	June 5, 2018
Filter if condition in Logstash Logstash	8	19412	July 24, 2019
Comparing fields from input Logstash	3	662	August 4, 2019

Logstash - Comparing two fields

Related topics