Logstash filter fields in if conditions

kelk · July 27, 2020, 12:40pm

There are many ways you could do. You can either do a if/else condition in output or within filter.
I tend to do mostly within filter as it will be cleaner and modular

So an example would be

input {
    pipeline {
        address => os_nix_syslog_pipeline
    }
}

filter {
  grok {
    match => {
        message => "%{SYSLOG5424LINE}"
      }
  }

  if "syslog5424_host" == '127.0.0.1' {
    mutate {
      add_field => { "myhost" => "localhost" }
    }  
  } else {
    mutate {
      add_field => { "myhost" => "unknown" }
    }  
  }
}

output {
  elasticsearch {
    hosts => "http://localhost:9200"
    user => "elastic"
    password => "changeme"
    index => "os_%{myhost}-%{+YYYY.MM}"
  }
}

The idea here is

Get the input from a pipeline or log. In this example, it is a linux_syslog
Grok to get the linux_syslog paramters
if the syslog_host is 127.0.0.1, its localhost and add a field called "myhost". If anything else, it is "unknown"
Just pump the output based on that field

Topic		Replies	Views
Filter if condition in Logstash Logstash	8	19401	July 24, 2019
If conditional on nested field with IP address Logstash	10	3713	April 21, 2020
If condition in logstash filter Logstash	1	374	December 17, 2018
I want to put my grok inside if else block of logstash I want the fields to be displayed in kibana it's executing but not displaying the actual fields Logstash	1	166	June 14, 2023
Expected one of # Logstash	8	1075	May 2, 2017

Logstash filter fields in if conditions

Related Topics