Logstash - comparison 2 fields

Christophe_Journel · December 13, 2021, 4:38pm

Hello.
I would like to compare 2 fields using logstash.
To be more precise, i would like to know id the content of one field is included into the other one, using ( regex)

i tried this configuration

   if ( [test][field1] and [test][field2]){
     if ([test][field2] =~ /.*%{[test][field1]}/) {
       mutate {
         add_field => { "DiffRegexp" => "true" }
       }
     } 
   }

However, That 's not working.

Any help would be appreciated

Thanks !

Badger · December 13, 2021, 6:06pm

No sprintf substitution is done on conditionals

    mutate { add_field => { "[a]" => "foo%{b}" } }
    mutate { add_field => { "[b]" => "bar" } }

    if "%{b}" in [a] { mutate { add_field => { "[c]" => "baz" } } }

will add the field [c]. You can use a ruby filter

    ruby {
        code => '
            a = event.get("a"); b = event.get("b")
            if a and b and a.include? b
                event.set("c", "baz")
            end
        '
    }

Christophe_Journel · December 14, 2021, 11:47am

Thank you @Badger , this is indeed the solution

system · January 11, 2022, 11:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash - Comparing two fields Logstash	3	1293	May 10, 2017
Compare two fields in logstash Logstash	5	4961	July 6, 2017
Compare fields value Logstash	3	440	September 2, 2022
Comparing fields from input Logstash	3	662	August 4, 2019
Comparing two string in ruby filter / comparing two string fields Logstash	3	2582	July 6, 2017

Logstash - comparison 2 fields

Related topics