Logstash condition match

gugansankar · December 2, 2015, 5:02pm

I have to add one more field , if my condition is true. But its not working.

My condition is " Json message has a field called clientip, if its present then one more filed has to be added with message"

Log Message : {"Protocol": "http", "Clientid": "2062230369", "clientip": "10.11.12.13"}

Config :

input {stdin { codec=>json }}
filter {
if "_jsonparsefailure" in [tags] {
drop {}
}
else {
if [clientip] == 'true' {
date {
match => ["timestamp", "YYYY-MM-dd HH:mm:ss"]
add_field => { "primary" => "%{clientip}"}
}
}}}
output {
stdout { codec => "rubydebug" }
}

But,my condition is failed, this is the output i'm getting

{
"Protocol" => "http",
"Clientid" => "2062230369",
"clientip" => "10.11.12.13",
"@version" => "1",
"@timestamp" => "2015-12-02T16:56:41.462Z",
"host" => "gugan"
}

magnusbaeck · December 2, 2015, 8:55pm

But the clientip field isn't equal to the string "true" so the condition is false. To check for the presence of a field you can use this:

if [clientip] {
  ...
}

(This way of checking for field existence isn't perfect. If the field exists but contains a false boolean value the condition will evaluate to false.)

gugansankar · December 3, 2015, 10:10am

its not working.

Tested Log : {"Protocol": "http", "Clientid": "2062230369", "clientip": "10.11.12.13", "timesistamp": "2015-06-15 12:45:50"}

Logstash startup completed
{
"Protocol" => "http",
"Clientid" => "2062230369",
"clientip" => "10.11.12.13",
"timesistamp" => "2015-06-15 12:45:50",
"@version" => "1",
"@timestamp" => "2015-12-03T10:07:34.798Z",
"host" => "gugan"
}
Logstash shutdown completed
root@gugan:~/ELK#

Pasting my config once again Here.:

filter {

if "_jsonparsefailure" in [tags] {
drop {}
}
else {
if [clientip] {
date {
match => ["timestamp", "YYYY-MM-dd HH:mm:ss"]
target => "@timestamp"
add_field => { "primary" => "%{clientip}"}
}
geoip {
source => "clientip"
}
}
}

magnusbaeck · December 3, 2015, 10:17am

The conditional probably works fine but

the date filter doesn't work because the field is named timesistamp and not timestamp and
the geoip filter doesn't work because the IP address in clientip is in a non-public IP address space that doesn't work with geoip.

gugansankar · December 3, 2015, 11:33am

OMG. Sorry @magnusbaeck . I troubled you for this silly things.

But, Thanks for your kind reply. Hereafter, I will try to double verify before posting. I thought, Something made mistake on the condition match. but I didn't expect the problem lies there.

About GeoIP, yes I know. geoip would work on Public IP and its not for private IP's.