Logstash condition match


(KMG) #1

I have to add one more field , if my condition is true. But its not working.

My condition is " Json message has a field called clientip, if its present then one more filed has to be added with message"

Log Message : {"Protocol": "http", "Clientid": "2062230369", "clientip": "10.11.12.13"}

Config :

input {stdin { codec=>json }}
filter {
if "_jsonparsefailure" in [tags] {
drop {}
}
else {
if [clientip] == 'true' {
date {
match => ["timestamp", "YYYY-MM-dd HH:mm:ss"]
add_field => { "primary" => "%{clientip}"}
}
}}}
output {
stdout { codec => "rubydebug" }
}

But,my condition is failed, this is the output i'm getting

{
"Protocol" => "http",
"Clientid" => "2062230369",
"clientip" => "10.11.12.13",
"@version" => "1",
"@timestamp" => "2015-12-02T16:56:41.462Z",
"host" => "gugan"
}


(Magnus Bäck) #2

But the clientip field isn't equal to the string "true" so the condition is false. To check for the presence of a field you can use this:

if [clientip] {
  ...
}

(This way of checking for field existence isn't perfect. If the field exists but contains a false boolean value the condition will evaluate to false.)


(KMG) #3

its not working.

Tested Log : {"Protocol": "http", "Clientid": "2062230369", "clientip": "10.11.12.13", "timesistamp": "2015-06-15 12:45:50"}

Logstash startup completed
{
"Protocol" => "http",
"Clientid" => "2062230369",
"clientip" => "10.11.12.13",
"timesistamp" => "2015-06-15 12:45:50",
"@version" => "1",
"@timestamp" => "2015-12-03T10:07:34.798Z",
"host" => "gugan"
}
Logstash shutdown completed
root@gugan:~/ELK#

Pasting my config once again Here.:

filter {

if "_jsonparsefailure" in [tags] {
drop {}
}
else {
if [clientip] {
date {
match => ["timestamp", "YYYY-MM-dd HH:mm:ss"]
target => "@timestamp"
add_field => { "primary" => "%{clientip}"}
}
geoip {
source => "clientip"
}
}
}


(Magnus Bäck) #4

The conditional probably works fine but

  • the date filter doesn't work because the field is named timesistamp and not timestamp and
  • the geoip filter doesn't work because the IP address in clientip is in a non-public IP address space that doesn't work with geoip.

(KMG) #5

OMG. Sorry @magnusbaeck . I troubled you for this silly things.

But, Thanks for your kind reply. Hereafter, I will try to double verify before posting. I thought, Something made mistake on the condition match. but I didn't expect the problem lies there.

About GeoIP, yes I know. geoip would work on Public IP and its not for private IP's.


(system) #6