Logstash filter fields in if conditions

kelk · July 27, 2020, 12:40pm

There are many ways you could do. You can either do a if/else condition in output or within filter.
I tend to do mostly within filter as it will be cleaner and modular

So an example would be

input {
    pipeline {
        address => os_nix_syslog_pipeline
    }
}

filter {
  grok {
    match => {
        message => "%{SYSLOG5424LINE}"
      }
  }

  if "syslog5424_host" == '127.0.0.1' {
    mutate {
      add_field => { "myhost" => "localhost" }
    }  
  } else {
    mutate {
      add_field => { "myhost" => "unknown" }
    }  
  }
}

output {
  elasticsearch {
    hosts => "http://localhost:9200"
    user => "elastic"
    password => "changeme"
    index => "os_%{myhost}-%{+YYYY.MM}"
  }
}

The idea here is

Get the input from a pipeline or log. In this example, it is a linux_syslog
Grok to get the linux_syslog paramters
if the syslog_host is 127.0.0.1, its localhost and add a field called "myhost". If anything else, it is "unknown"
Just pump the output based on that field

Topic		Replies	Views
Help adding field if a condition exists Logstash	5	9098	June 6, 2017
If conditional statement field source Logstash	2	1850	July 26, 2017
Filter if condition in Logstash Logstash	8	19412	July 24, 2019
If conditional on nested field with IP address Logstash	10	3724	April 21, 2020
Logstash compare one field with multiple value (string) Logstash	6	11575	July 6, 2017

Logstash filter fields in if conditions

Related topics