Logstash filter section - "if" condition doesn't work

Ged · September 21, 2018, 1:00pm

Hi,

I have problem with dropping events on condition that one of fields has specific value set. Fields is extracted using xml filter plugin.
According to below my understanding is all events except of those with xmlRequestType = "CreateRQ" or xmlRequestType = "CreateRS" should be dropped. So below example with CreateRQ should store value, but it doesn't.

Part of my filter section config:
## parsing XML payload if [xmlPayload] { xml { source => "xmlPayload" store_xml => false # disable storing parsed xml remove_namespaces => true xpath => { "local-name(/*)" => "xmlRequestType" "(//@ClientCode)[1]" => "xmlClientCode" "(//@ClientContextCode)[1]" => "xmlClientContextCode" } } } # drop anything except of CreateRQ/CreateRS if [xmlRequestType] not in "[CreateRQ","CreateRS"] { drop{} }
and rubydebug output when above condition is commented
{ "xmlRequestType" => [ [0] CreateRQ" ], "path" => "/apps/elk/logstash/pdc.log", "xmlClientContextCode" => [ [0] "GCL" ], "xmlClientCode" => [ [0] "TN" ], "@version" => "1", "@timestamp" => 2018-09-21T12:27:37.020Z }
Thanks in advance !

Ged · September 21, 2018, 2:17pm

Resolved.
xmlRequestType is and array in this case so i need to use [xmlRequestType][0] in my condition.

Other thing is i've tried to set
force_array => false
for xml filter plugin, but looks like it has no effect.

system · October 19, 2018, 2:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.