Hi,
Please help me with the if condition filter in logstash for same KQL querymentioned below.
message: *.url.* and not *failover*
Below logstash filter is not working
filter{
if ([message] != ‘.\.url\..’ and [message] == ‘.failover.’)
{
grok{}
}
else{
drop{}
}
}
Use a substring match
if ".url." in [message] and "failover" not in [message] {Thank you @Badger for your reply.
Can you please tell me how can I use .url. with wildcard on both ends?, like this *.url.* in KQL.
"something" in [message] is a substring match. It does not need wildcards at each end, they are implicit.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.