Logstash config output regex condition on integer

metalcapone · August 25, 2016, 9:40am

Hello all!

I'm working on indexing IIS logs in ES using Logstash.
Here is my config output section, where I try to seperate the http code response (status field) in two indices:

output {
   	if [type] == "mywebsite" and [status] =~ "^[2]" {
		elasticsearch {
			hosts => ["192.168.1.3:9200"]
			index => "logstash-httpCode2XX-%{+YYYY.MM}"
			document_type => "log"
		}
	}
	if [type] == "mywebsite" and [status] =~ "^[5]" {
		elasticsearch {
			hosts => ["192.168.1.3:9200"]
			index => "logstash-httpCode5XX-%{+YYYY.MM}"
			document_type => "log"
		}
	}
}

Given [status] field is "grokked" and mutated as an integer:

mutate {
	convert => {
		status => "integer"
        }
}

I do not understand why the second part of my conditions with the regex does not work... It is not verified, nothing is sent to my ES indices.

I add that without this condition, everything's ok until ES, so no Grok or mutate issue...

Thanks a lot if you have any idea!
Have a good day.

magnusbaeck · August 25, 2016, 11:00am

I'm not sure regexp matches work for integer fields. Note that the correct syntax for regexp matching is [status] =~ /^[2]/ (which is equivalent to [status] =~ /^2/). Either way, why use regexp matching in the first place when you can do [status] >= 200 and [status] < 300?

metalcapone · August 25, 2016, 12:22pm

Thanks for your reply!

It works fine using the simple mathematical comparison. When I tried the first time, I used quotes...
Morality, regex seem to not work on intergers.

Topic		Replies	Views
Output IF ELSE configuration error Logstash	8	35826	July 6, 2017
Integer comparison not working Logstash	4	490	August 20, 2020
Logstash if condition regex not working Logstash	11	1136	August 29, 2022
Logstash if statement with regex example Logstash	7	18266	March 21, 2017
Multiple if else problem in output in Logstash Logstash	7	7015	April 4, 2019

Logstash config output regex condition on integer

Related Topics