Logstash filter section problem

jmbrown · June 26, 2017, 2:11pm

Hi, I'm trying to create a set of filters that will add a field based on a numeric value received by logstash.
At the moment I'm just adding a TAG to see if the "IF" works.
It appears that there is something wrong with my IF statement.
I've tried '174' , "174", and 174 without any enclosing marks.

How do can I debug this further ?? According to the netflow codec docs ipfix.bgpDestinationAsNumber
is a numeric field.

filter {

if [ipfix.bgpDestinationAsNumber] == '174' {
    mutate  {
        add_tag => { "FUBAR" => "BARF"  }
    } 
}

}

Thank you for the help

paz · June 26, 2017, 2:27pm

Just the numeric without the quotes should work.

Also, is the "ipfix.bgpDestinationAsNumber" a nested one? By default the netflow codec has a target field called "netflow" as per the documentation, so you might need to reference it as

Btw, the add_tag needs just a value that will end up in the "tags" field, no need to supply a field name. Try this instead

filter {
	if [netflow][ipfix.bgpDestinationAsNumber] == 174 {
		mutate {
			add_tag => ["BARF"]
		}
	}
}

jmbrown · June 26, 2017, 4:29pm

Hi Paris,

Thank you for your help. I had to modify the field name, but your example helped solve the problem

For others: The corrected line is

filter {
if [ipfix][bgpDestinationAsNumber] == 174 {
mutate {
add_tag => ["BARF"]
}
}
}

system · July 24, 2017, 4:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.