Logstash filter section - "if" condition doesn't work

Ged · September 21, 2018, 1:00pm

Hi,

I have problem with dropping events on condition that one of fields has specific value set. Fields is extracted using xml filter plugin.
According to below my understanding is all events except of those with xmlRequestType = "CreateRQ" or xmlRequestType = "CreateRS" should be dropped. So below example with CreateRQ should store value, but it doesn't.

Part of my filter section config:
## parsing XML payload if [xmlPayload] { xml { source => "xmlPayload" store_xml => false # disable storing parsed xml remove_namespaces => true xpath => { "local-name(/*)" => "xmlRequestType" "(//@ClientCode)[1]" => "xmlClientCode" "(//@ClientContextCode)[1]" => "xmlClientContextCode" } } } # drop anything except of CreateRQ/CreateRS if [xmlRequestType] not in "[CreateRQ","CreateRS"] { drop{} }
and rubydebug output when above condition is commented
{ "xmlRequestType" => [ [0] CreateRQ" ], "path" => "/apps/elk/logstash/pdc.log", "xmlClientContextCode" => [ [0] "GCL" ], "xmlClientCode" => [ [0] "TN" ], "@version" => "1", "@timestamp" => 2018-09-21T12:27:37.020Z }
Thanks in advance !

Ged · September 21, 2018, 2:17pm

Resolved.
xmlRequestType is and array in this case so i need to use [xmlRequestType][0] in my condition.

Other thing is i've tried to set
force_array => false
for xml filter plugin, but looks like it has no effect.

system · October 19, 2018, 2:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IF condition with XML filter Logstash	5	1022	December 6, 2017
How can I use if condition in filter for xml Logstash	19	2047	May 7, 2018
Logstash Filter Conditional Usage Logstash	3	276	July 10, 2019
Drop filter in Logstash filter not working for the below event Logstash	2	176	October 13, 2023
Logstash filter not working. Probably my fault :D Logstash	5	975	November 28, 2017

Logstash filter section - "if" condition doesn't work

Related Topics