Logstash conditional test for value in a field

Zorkmid · October 13, 2020, 8:43pm

Hello all,

Is the follow correct for testing for the presence of a value and then applying the appropriate grok filter? The event types, urlfLog, accessLog all arrive in the same syslog input stream and I'd like to test and apply grok formatting to them before passing the events to the output stage.

    filter {
            	if [logname] == "urlfLog" {
            	 grok {
            		 patterns_dir => ["/etc/logstash/patterns"]
            		 match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:logname}, applianceName=%{textDef:applianceName}, tenantName=%{textDef:tenantName}, flowId=%{NONNEGINT:flowId}, flowCookie=%{NONNEGINT:flowCookie} " }
            			 }
            	} else if [logname] == "accessLog" {
            	 grok {
            		 patterns_dir => ["/etc/logstash/patterns"]
            		 match => { "message" =>  "%{TIMESTAMP_ISO8601:timestamp} %{WORD:logname}, applianceName=%{textDef:applianceName}, tenantName=%{textDef:tenantName}, flowId=%{NONNEGINT:flowId}, flowCookie=%{NONNEGINT:flowCookie}, flowStartMilliseconds=%{NONNEGINT:flowStartMilliseconds}"}
            		 } 
            	} 
         }

Regards
TimW

Badger · October 13, 2020, 8:45pm

Looks OK to me.

system · November 10, 2020, 8:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field value filter Logstash	7	4432	September 1, 2017
Using conditionals to decide which logs to filter Logstash	3	346	October 3, 2019
Conditional, check multiple values for a field Logstash	4	15458	December 15, 2017
Logstash filter problem Logstash	3	296	April 19, 2018
How to use conditional statement in Filter Logstash	5	2077	July 6, 2017

Logstash conditional test for value in a field

Related topics