Logstash filter conditional if tags or

ktella · October 2, 2017, 7:59pm

Am i doing something wrong here ?

Logs with tag dcsaghosts are the ones only processed by the filter and ignoring the logs with tag pcwsaghosts

filter {
if "dcsaghosts" in [tags] or "pcwsaghosts" in [tags] {
if "dc-itpag-idm" in [tags] or "pcw-itpag-idm" in [tags] {
grok {
match => { "message" => "- %{IPV4:clientip} - - [%{HTTPDATE:requesttimestamp}] %{WORD:httpmethod} / %{NUMBER:responsecode:int} %{NUMBER:responsesize:int} - - - %{NUMBER:responsetimems:int}" }
}
}
else if "dc-sspag-idm" in [tags] or "pcw-sspag-idm" in [tags] {
grok {
match => { "message" => "%{IPV4:clientip} - - [%{HTTPDATE:requesttimestamp}] "%{WORD:httpmethod} /" %{NUMBER:responsecode:int} %{NUMBER:responsesize:int} "-" "-" "-" "%{NUMBER:responsetimems:float}""}
}
}
}

    date {
            locale => "en"
            timezone => "America/New_York"
            match => [ "requesttimestamp","dd/MMM/yyyy:HH:mm:ss Z" ]
    }

}

magnusbaeck · October 3, 2017, 5:17am

Please show an event that hasn't been correctly processed. Use a stdout { codec => rubydebug } output so we can see what it looks like after Logstash has processed it.

ktella · October 3, 2017, 7:16pm

Thanks. Issue on my side config typos in one of filebeat with tags pcwsaghosts

Resolved. IF condition is working fine.

system · October 31, 2017, 7:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.