Logstash conf file if else condition is not working

Suresh_Pal · March 6, 2019, 12:35pm

Team,

Vesrion 6.2

In my config file i'm trying to use different grok pattern for different prospector.

filter {
if [type] == "db_log" {
grok {
match => [ "message", "%{TIMESTAMP_ISO8601:timetamp}%{SPACE}%{NOTSPACE}%{SPACE}%{INT:line}%{SPACE}%{NOTSPACE}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}(?:- Tenant Name :)%{SPACE}%{WORD:TENANT_NAME}%{SPACE}(?:GlobalConnectionPool - Active Connections :)%{SPACE}%{WORD:Active_Connections}%{SPACE}%{NOTSPACE}%{SPACE}(?:Idle Connections :)%{SPACE}%{WORD:Idle_Connection}" ]
}
}
else if [type] == "user_access" {
grok {
match => [ "message", "%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{WORD:USER}%{WORD}%{GREEDYDATA}" ]
}
}

else{
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timetamp}%{SPACE}%{NOTSPACE}%{SPACE}%{INT:line}%{SPACE}%{NOTSPACE}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}(?:- Tenant Name :)%{SPACE}%{WORD:TENANT_NAME}%{SPACE}%{GREEDYDATA:Message}"}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
}

output {
elasticsearch { hosts => ["localhost:9200"] }

}

Note: fist If and last else condition is working fine but in between else if condition is not working.

Someone please help me to sort out this.

Suresh_Pal · March 11, 2019, 6:17am

Hi team,

Any update ??

Ganesh2303 · March 11, 2019, 3:17pm

Share your log whether your type value gets match with log.

system · April 8, 2019, 3:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.