Logstash conditional test for value in a field

Zorkmid · October 13, 2020, 8:43pm

Hello all,

Is the follow correct for testing for the presence of a value and then applying the appropriate grok filter? The event types, urlfLog, accessLog all arrive in the same syslog input stream and I'd like to test and apply grok formatting to them before passing the events to the output stage.

    filter {
            	if [logname] == "urlfLog" {
            	 grok {
            		 patterns_dir => ["/etc/logstash/patterns"]
            		 match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:logname}, applianceName=%{textDef:applianceName}, tenantName=%{textDef:tenantName}, flowId=%{NONNEGINT:flowId}, flowCookie=%{NONNEGINT:flowCookie} " }
            			 }
            	} else if [logname] == "accessLog" {
            	 grok {
            		 patterns_dir => ["/etc/logstash/patterns"]
            		 match => { "message" =>  "%{TIMESTAMP_ISO8601:timestamp} %{WORD:logname}, applianceName=%{textDef:applianceName}, tenantName=%{textDef:tenantName}, flowId=%{NONNEGINT:flowId}, flowCookie=%{NONNEGINT:flowCookie}, flowStartMilliseconds=%{NONNEGINT:flowStartMilliseconds}"}
            		 } 
            	} 
         }

Regards
TimW

Badger · October 13, 2020, 8:45pm

Looks OK to me.

system · November 10, 2020, 8:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field value filter Logstash	7	4429	September 1, 2017
Logstash filter fields in if conditions Logstash	5	19286	August 25, 2020
Filter conditionals not working as expected Logstash	3	301	December 27, 2020
Conditional grok Logstash	8	33033	July 6, 2017
Regexp in conditional Logstash	10	4425	September 6, 2019

Logstash conditional test for value in a field

Related Topics