Logstash GROK If statement

Nitin_gupta · July 19, 2017, 1:17pm

Hi,

I am trying to configure logstash and below is my filter configuration .

Capturing event in grok statement and then checking whether event is equal to condition
but i am getting errors at if[event]=

is it possible to use if condition with event captured in grok statement ?

filter{
     if[source]=~"ftp.log"{
        grok{
         match=>{
                 "message"=>[
                 "\[%{TIMESTAMP_ISO8601:timestamp}\] ALL AUDIT: User \[%{GREEDYDATA:userId}\]\ %{GREEDYDATA:var} \[%{HOSTNAME:ip}\] %{GREEDYDATA:event}.",
                 "\[%{TIMESTAMP_ISO8601:timestamp}\] ALL AUDIT: User \[%{GREEDYDATA:userId}\]\ %{GREEDYDATA:event} \[%{GREEDYDATA:filename}\]."
							]
				}
				
				
				if[event]=~"retrieving file"{
						add_tag=>["Download"]
					}else if["event"]=~"storing file"{
						add_tag=>["Upload"]
					}else if["event"]=~"has logged in"{
						add_tag=>["Login"]			
				}
				add_tag=>["log_ftp"]
			}
			
			}
     }

Nitin_gupta · July 19, 2017, 3:09pm

working now
now my if statements are outside of grok
and also removed double quotes in "event"

system · August 16, 2017, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.