Logstash filter section - "if" condition doesn't work

Ged · September 21, 2018, 1:00pm

Hi,

I have problem with dropping events on condition that one of fields has specific value set. Fields is extracted using xml filter plugin.
According to below my understanding is all events except of those with xmlRequestType = "CreateRQ" or xmlRequestType = "CreateRS" should be dropped. So below example with CreateRQ should store value, but it doesn't.

Part of my filter section config:
## parsing XML payload if [xmlPayload] { xml { source => "xmlPayload" store_xml => false # disable storing parsed xml remove_namespaces => true xpath => { "local-name(/*)" => "xmlRequestType" "(//@ClientCode)[1]" => "xmlClientCode" "(//@ClientContextCode)[1]" => "xmlClientContextCode" } } } # drop anything except of CreateRQ/CreateRS if [xmlRequestType] not in "[CreateRQ","CreateRS"] { drop{} }
and rubydebug output when above condition is commented
{ "xmlRequestType" => [ [0] CreateRQ" ], "path" => "/apps/elk/logstash/pdc.log", "xmlClientContextCode" => [ [0] "GCL" ], "xmlClientCode" => [ [0] "TN" ], "@version" => "1", "@timestamp" => 2018-09-21T12:27:37.020Z }
Thanks in advance !

Ged · September 21, 2018, 2:17pm

Resolved.
xmlRequestType is and array in this case so i need to use [xmlRequestType][0] in my condition.

Other thing is i've tried to set
force_array => false
for xml filter plugin, but looks like it has no effect.

system · October 19, 2018, 2:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IF condition with XML filter Logstash	5	1023	December 6, 2017
Logstash drop filter is not dropping events Logstash	2	1119	November 4, 2022
How can I use if condition in filter for xml Logstash	19	2053	May 7, 2018
Logstash Filter Conditional Usage Logstash	3	276	July 10, 2019
Drop filter in Logstash filter not working for the below event Logstash	2	176	October 13, 2023

Logstash filter section - "if" condition doesn't work

Related topics