Logstash configure issue

(hsiuming) #1

Hello we now have a data is two layer in kibana json form.

In kibana we can see :
"_index": "XXXXXX",
"_type": "pcap",
"_id": "XXXXXX",
"_version": X,
"layers": {
"ip_src": [
"@version": "X",
"host": "XXXXX",


We send the data to kibana following the process:

log data->filebeat->logstash->elasticsearch

Now we want to add some filter condition in logstash.

When we set the if condition in logstash configure file :

if [type] == "pcap"

If the data meet the if condition ,logstash will execute the function in big parantheses.

But if i set the if condition:

if [layers][ip_src] == "192.168.X.XX"

The if function will not execute.

Do we have the wrong if function setting?

(Guy Boertje) #2

ip_src is an Array. Your conditional is trying to test whether an Array is equal to a String.

Try this (not tested):

if "192.168.X.XX" in [layers][ip_src] {


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.