Logstash configure issue

Hello we now have a data is two layer in kibana json form.

In kibana we can see :
{
"_index": "XXXXXX",
"_type": "pcap",
"_id": "XXXXXX",
"_version": X,
.
.
.
"layers": {
"ip_src": [
"192.168.X.XX"
],
.
.
}
.
"@version": "X",
"host": "XXXXX",

}

We send the data to kibana following the process:

log data->filebeat->logstash->elasticsearch

Now we want to add some filter condition in logstash.

When we set the if condition in logstash configure file :

if [type] == "pcap"
{}

If the data meet the if condition ,logstash will execute the function in big parantheses.

But if i set the if condition:

if [layers][ip_src] == "192.168.X.XX"
{}

The if function will not execute.

Do we have the wrong if function setting?

ip_src is an Array. Your conditional is trying to test whether an Array is equal to a String.

Try this (not tested):

if "192.168.X.XX" in [layers][ip_src] {

}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.