Logstash Conditional format?

tpnoonan · February 21, 2016, 4:37pm

I've got a filter that I'm trying to add to a log stash instance that is receiving netflow data. I am trying to test the value of the field "netflow.protocol" and then based on that add a string literal for the type of protocol that it is. I've tried many combinations, but nothing seems to work.

My filter looks like this.

filter {
if [netflow.protocol] == "6" {
mutate {
add_field => { "netflow.protocol_type" => "TCP" }
}
}
}

I'm sure I've got something slightly wrong here and would appreciate feedback from the community. Thanks!

msimos · February 21, 2016, 7:17pm

Hi,

Maybe you can post an example of what the log message looks like and your logstash configuration.

magnusbaeck · February 23, 2016, 7:00pm

This is the correct syntax:

if [netflow][protocol] == "6" {

Topic		Replies	Views
Logstash filter section problem Logstash	3	673	July 24, 2017
IF conditional not dropping field Logstash	2	520	February 19, 2018
Logstash and netflow filter problem / question with filter and if[exp] Logstash	2	697	July 25, 2017
Filter conditionals not working as expected Logstash	3	301	December 27, 2020
If conditional statement field source Logstash	2	1849	July 26, 2017

Logstash Conditional format?

Related topics