Logstash Filter - regez

jancodenew · February 9, 2021, 9:05pm

Hi,

Please help me with the if condition filter in logstash for same KQL querymentioned below.
message: *.url.* and not *failover*

Below logstash filter is not working
filter{
if ([message] != ‘.\.url\..’ and [message] == ‘.failover.’)
{
grok{}
}
else{
drop{}
}
}

Badger · February 9, 2021, 9:08pm

Use a substring match

if ".url." in [message] and "failover" not in [message] {

jancodenew · February 9, 2021, 9:28pm

Thank you @Badger for your reply.

Can you please tell me how can I use .url. with wildcard on both ends?, like this *.url.* in KQL.

Badger · February 9, 2021, 9:33pm

"something" in [message] is a substring match. It does not need wildcards at each end, they are implicit.

system · March 9, 2021, 9:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to check with * wildcard condition in Logstash filter Logstash	2	4490	July 26, 2018
Need Help on Logstash filter If-Else Condition Logstash	1	251	July 28, 2020
Separating request URI path and query in logstash Logstash	2	1010	January 2, 2019
Creating drop filters based on a string search in a message field Logstash	13	38945	November 4, 2022
Quick Question on Grok and filtering Logstash	3	260	May 21, 2018