Logstash Filter If loop

adityak248 · January 30, 2024, 6:53pm

Which one is correct:

filter {
    if [kubernetes_labels][app] == "app-name" and [kubernetes_container_name] == "nginx" {
        grok {
            match => {"message" => 'XXX'}}}
    else if [kubernetes_labels][app] == "app-name" and [kubernetes_container_name] == "app" {
        grok {
            match => {"message" => "XXX"}}}
}

or

filter {
    if [kubernetes_labels][app] == "app-name" {
        if [kubernetes_container_name] == "nginx" {
            grok {
                match => {"message" => 'XXX'}}
        }
        else if [kubernetes_container_name] == "app" { 
            grok {
                match => {"message" => "XXX"}}
        }
    }
}

or

filter {
    if [kubernetes_labels][app] == "app-name" {
        if [kubernetes_container_name] == "nginx" {
            grok {
                match => {"message" => 'XXX'}}
        }
        if [kubernetes_container_name] == "app" {
            grok {
                match => {"message" => "XXX"}}
        }
    }
}

I know case 1 works fine but am trying to fine tuning the filters and wanted to check with community.
There is no much documentation on if loops.
Please help. Thanks

leandrojmp · January 30, 2024, 7:50pm

All of them are correct and will work, which one is better depend users preference.

All the documentation needed for if conditionals in Logstash is here.

system · February 27, 2024, 7:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
If statement in grok filter Logstash	3	13758	January 15, 2018
Some trouble with if / else in logstash filter block Logstash	3	1063	July 6, 2017
Trouble with filter conditional logic Logstash	6	271	January 21, 2023
Logstash filter fields in if conditions Logstash	5	19289	August 25, 2020
Logstash Filter - regez Logstash	4	285	March 9, 2021

Logstash Filter If loop

Related Topics