Logstash does not parse if 'if' condition change

Aniket_Pant · August 23, 2022, 11:59am

Using single node ELK cluster version 7.16.3.
Index won't appear in kibana if i used this configuration in logstash pipeline file

output {
if [tags] == "average_weight" {
elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "average_weight-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "changeme"
 }
}
}

If i change the pattern in if condition than i can able to see my index

output {
if "average_weight" in [tags] {
elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "average_weight-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "changeme"
 }
}
}

So is there any difference between these two ?
I don't want to use in operator

leandrojmp · August 23, 2022, 12:24pm

If you are creating the tags field in Logstash using add_tag, then it is an array, a collection type field, so you need to use the in or not in operator.

What you have in reality is tags: [ "average_weight", "other-tags" ]

Aniket_Pant · August 23, 2022, 4:32pm

Hi @leandrojmp basically i introduced this tags in filebeat.yml

- type: filestream

  # Change to true to enable this input configuration.
  enabled: true
  tags: ["average_weight"]
  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /home/aniket/python/average_weight.log

according to me logstash will check that this field(when it receive events from beats) is exist and it has the value
So i am creating tag but i am using this tags.. Please correct me

Rios · August 23, 2022, 5:01pm

Tag is a field which can contains multiple values as the array.

if "average_weight" in [tags] means check does the values "average_weight" exist in tags
if [tags] == "average_weight" means check is tags equal to "average_weight", which never be possible since is the array, not a value.

What is possible to compare is a member of the array, for instance:
if [tags][0] == "average_weight"

leandrojmp · August 23, 2022, 5:54pm

It is the same thing, the tags fields both in Beats and Logstash is an array.

If you want to use this field in the conditional you will need to make a check using in or not in.

Aniket_Pant · August 24, 2022, 8:59am

Thank you @Rios @leandrojmp i thought tag field in beat is not array. Thank you both of you

system · September 21, 2022, 9:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash if condition regex not working Logstash	11	1161	August 29, 2022
Conditional in the output is ignored Logstash	6	441	February 15, 2022
Logstash tags conditional issue Logstash	4	271	April 5, 2019
Filtering in LogStash using the if..in syntax Logstash	3	370	January 23, 2020
How to use if else statments in logstash output pipline? Logstash	9	35874	March 9, 2018

Logstash does not parse if 'if' condition change

Related topics