Logstash conditional test for value in a field

Zorkmid · October 13, 2020, 8:43pm

Hello all,

Is the follow correct for testing for the presence of a value and then applying the appropriate grok filter? The event types, urlfLog, accessLog all arrive in the same syslog input stream and I'd like to test and apply grok formatting to them before passing the events to the output stage.

    filter {
            	if [logname] == "urlfLog" {
            	 grok {
            		 patterns_dir => ["/etc/logstash/patterns"]
            		 match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:logname}, applianceName=%{textDef:applianceName}, tenantName=%{textDef:tenantName}, flowId=%{NONNEGINT:flowId}, flowCookie=%{NONNEGINT:flowCookie} " }
            			 }
            	} else if [logname] == "accessLog" {
            	 grok {
            		 patterns_dir => ["/etc/logstash/patterns"]
            		 match => { "message" =>  "%{TIMESTAMP_ISO8601:timestamp} %{WORD:logname}, applianceName=%{textDef:applianceName}, tenantName=%{textDef:tenantName}, flowId=%{NONNEGINT:flowId}, flowCookie=%{NONNEGINT:flowCookie}, flowStartMilliseconds=%{NONNEGINT:flowStartMilliseconds}"}
            		 } 
            	} 
         }

Regards
TimW

Badger · October 13, 2020, 8:45pm

Looks OK to me.

system · November 10, 2020, 8:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.