Logstash filter condition statement not working as expected

Version Used:
Logstash 5.5.0

Data Flow -> Filebeat (5.5.0)_ Logstash 5.5.0_Elasticsearch 5.5.0

Input Case1:

<tag1></tag1><tag2></tag2><Unique>Data 1<Unique>
 <tag3></tag3><tag4></tag4>

Input Case 2:

 <tag1></tag1><tag2></tag2><Distinct Tag="1">Data 2</Distinct>
 <tag3></tag3><tag4></tag4>

Input Case 3:

<tag1></tag1><tag2></tag2><Unique>Data 1</Unique>
<tag3></tag3><tag4></tag4><Distinct Tag="1">Data 2</Distinct>
<tag5></tag5>

Logstash Filter
Expected Output : Extract "Unique" tag Data, if it is not present then extract "Distinct Tag="1" tagdata

Logstash Yml:

filter {
  grok {
    patterns_dir => "./patterns"
    match => ["message", "<Unique>%{GREEDYDATA:Product_ID}</Unique>"]
  }
if [Product_ID] ==[]{
  grok {
    patterns_dir => "./patterns"
      match => ["message", '<Distinct Tag="1" %{DATA:namespace}>%{GREEDYDATA:Product_ID}</Distinct>']
    }
  }
 }
}
filter {  
  if "_grokparsefailure" in [tags] {
drop { }
}

Current Output :
The second match never occurs. (Distinct Tag="1" )
Case 2 Fails. If Distinct Tag is used in one grok separately, it work.

I even tried ->

if ![Product_ID]
#still not working

Is it because you have a space in your <Unique> tag in the doc that has a <Distinct> tag too?

Sorry, That space was not intentional. Can you check it again now.
Input case 2 if failing and not case 3 as it has<Unique> Tag

Can you post your custom pattern files?

I'm using the default"grok-patterns". I have not added any pattern.

URGENT HELP

If you'd like an answer within a specific window then we can provide support with SLAs. Otherwise please have patience

Show an example document that exhibits the problem. Copy/paste from Kibana's JSON or use a stdout { codec => rubydebug } output.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.