Logstash conditional "in" with single element list not working

Thomas_Larsson_Kron · August 24, 2016, 11:10am

Hello.

I'm using logstash 2.1.1 and I'm encountering a problem with using the "in" conditional expression to filter out log events that are not of a certain level.

If I have more than one element in the list, everything works, but with only one element in the list all elements get filtered away.

An example log file:

$ cat /tmp/thomas/logstash/test.log
2016-01-27 00:44:20,762 INFO  some info level message
2016-01-27 00:44:20,763 WARN  some warning level message

The working config (with two elements in the list):

$ cat test.conf
input {
  file {
    path => "/tmp/thomas/logstash/test.log"
    start_position => "beginning"
  }
}

filter {
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:time}[\s\-]{1,}%{LOGLEVEL:level} %{GREEDYDATA:msg_rest}" }
  }
  if [level] not in ['WARN', 'INFO'] {
    drop {}
  }
}

output {
  stdout {}
}

The output when starting agent:

$ /opt/logstash/bin/logstash agent -f /etc/logstash/conf.d
Settings: Default filter workers: 4
Logstash startup completed
2016-08-24T11:03:32.872Z my-hostname 2016-01-27 00:44:20,762 INFO  some info level message
2016-08-24T11:03:32.874Z my-hostname 2016-01-27 00:44:20,763 WARN  some warning level message

If I change the above filter conditional to use a single item list instead like this:

filter {
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:time}[\s\-]{1,}%{LOGLEVEL:level} %{GREEDYDATA:msg_rest}" }
  }
  if [level] not in ['INFO'] {
    drop {}
  }
}

Then I get nothing when running the agent:

$ /opt/logstash/bin/logstash agent -f /etc/logstash/conf.d
Settings: Default filter workers: 4
Logstash startup completed

Am I blind and have some syntax error in my conf or is it a bug?

Please help, best regards
/Thomas

warkolm · August 26, 2016, 9:47am

If you want a single value, just do - if [level] not in "INFO".

magnusbaeck · August 27, 2016, 2:45pm

Yeah, this is a bug.

$ cat test.config 
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
  if [host] in ['bertie', 'some-other-host'] {
    mutate {
      add_tag => ['match']
    }
  }
}
$ echo 'hello' | logstash -f test.config
Settings: Default pipeline workers: 8
Pipeline main started
{
       "message" => "hello",
      "@version" => "1",
    "@timestamp" => "2016-08-27T14:43:39.554Z",
          "host" => "bertie",
          "tags" => [
        [0] "match"
    ]
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}
$ cat test.config
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
  if [host] in ['bertie'] {
    mutate {
      add_tag => ['match']
    }
  }
}
$ echo 'hello' | logstash -f test.config
Settings: Default pipeline workers: 8
Pipeline main started
{
       "message" => "hello",
      "@version" => "1",
    "@timestamp" => "2016-08-27T14:44:19.453Z",
          "host" => "bertie"
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}