Logstash Filter If loop

adityak248 · January 30, 2024, 6:53pm

Which one is correct:

filter {
    if [kubernetes_labels][app] == "app-name" and [kubernetes_container_name] == "nginx" {
        grok {
            match => {"message" => 'XXX'}}}
    else if [kubernetes_labels][app] == "app-name" and [kubernetes_container_name] == "app" {
        grok {
            match => {"message" => "XXX"}}}
}

or

filter {
    if [kubernetes_labels][app] == "app-name" {
        if [kubernetes_container_name] == "nginx" {
            grok {
                match => {"message" => 'XXX'}}
        }
        else if [kubernetes_container_name] == "app" { 
            grok {
                match => {"message" => "XXX"}}
        }
    }
}

or

filter {
    if [kubernetes_labels][app] == "app-name" {
        if [kubernetes_container_name] == "nginx" {
            grok {
                match => {"message" => 'XXX'}}
        }
        if [kubernetes_container_name] == "app" {
            grok {
                match => {"message" => "XXX"}}
        }
    }
}

I know case 1 works fine but am trying to fine tuning the filters and wanted to check with community.
There is no much documentation on if loops.
Please help. Thanks

leandrojmp · January 30, 2024, 7:50pm

All of them are correct and will work, which one is better depend users preference.

All the documentation needed for if conditionals in Logstash is here.

system · February 27, 2024, 7:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.