Logstash - comparison 2 fields

Christophe_Journel · December 13, 2021, 4:38pm

Hello.
I would like to compare 2 fields using logstash.
To be more precise, i would like to know id the content of one field is included into the other one, using ( regex)

i tried this configuration

   if ( [test][field1] and [test][field2]){
     if ([test][field2] =~ /.*%{[test][field1]}/) {
       mutate {
         add_field => { "DiffRegexp" => "true" }
       }
     } 
   }

However, That 's not working.

Any help would be appreciated

Thanks !

Badger · December 13, 2021, 6:06pm

No sprintf substitution is done on conditionals

    mutate { add_field => { "[a]" => "foo%{b}" } }
    mutate { add_field => { "[b]" => "bar" } }

    if "%{b}" in [a] { mutate { add_field => { "[c]" => "baz" } } }

will add the field [c]. You can use a ruby filter

    ruby {
        code => '
            a = event.get("a"); b = event.get("b")
            if a and b and a.include? b
                event.set("c", "baz")
            end
        '
    }

Christophe_Journel · December 14, 2021, 11:47am

Thank you @Badger , this is indeed the solution

Topic		Replies	Views
Logstash - Comparing two fields Logstash	3	1343	May 10, 2017
Logstash if conditions connected with and Logstash	9	622	September 1, 2020
Seraching value of variable Logstash	3	254	September 2, 2019
Logstash Comparing Field Values Using an If Statement not working Logstash	3	1540	November 6, 2020
Dynamically build the conditional statement from field value Logstash	8	3539	August 23, 2017

Logstash - comparison 2 fields

Related topics