Logstash does not parse if 'if' condition change

Elastic Stack Logstash
1

Using single node ELK cluster version 7.16.3.
Index won't appear in kibana if i used this configuration in logstash pipeline file

output {
if [tags] == "average_weight" {
elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "average_weight-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "changeme"
 }
}
}

If i change the pattern in if condition than i can able to see my index

output {
if "average_weight" in [tags] {
elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "average_weight-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "changeme"
 }
}
}

So is there any difference between these two ?
I don't want to use in operator

2

If you are creating the tags field in Logstash using add_tag, then it is an array, a collection type field, so you need to use the in or not in operator.

What you have in reality is tags: [ "average_weight", "other-tags" ]

3

Hi @leandrojmp basically i introduced this tags in filebeat.yml

- type: filestream

  # Change to true to enable this input configuration.
  enabled: true
  tags: ["average_weight"]
  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /home/aniket/python/average_weight.log

according to me logstash will check that this field(when it receive events from beats) is exist and it has the value
So i am creating tag but i am using this tags.. Please correct me

4

Tag is a field which can contains multiple values as the array.

if "average_weight" in [tags] means check does the values "average_weight" exist in tags
if [tags] == "average_weight" means check is tags equal to "average_weight", which never be possible since is the array, not a value.

What is possible to compare is a member of the array, for instance:
if [tags][0] == "average_weight"

5

It is the same thing, the tags fields both in Beats and Logstash is an array.

If you want to use this field in the conditional you will need to make a check using in or not in.

6

Thank you @Rios @leandrojmp i thought tag field in beat is not array. Thank you both of you