Logstash GROK If statement

Nitin_gupta · July 19, 2017, 1:17pm

Hi,

I am trying to configure logstash and below is my filter configuration .

Capturing event in grok statement and then checking whether event is equal to condition
but i am getting errors at if[event]=

is it possible to use if condition with event captured in grok statement ?

filter{
     if[source]=~"ftp.log"{
        grok{
         match=>{
                 "message"=>[
                 "\[%{TIMESTAMP_ISO8601:timestamp}\] ALL AUDIT: User \[%{GREEDYDATA:userId}\]\ %{GREEDYDATA:var} \[%{HOSTNAME:ip}\] %{GREEDYDATA:event}.",
                 "\[%{TIMESTAMP_ISO8601:timestamp}\] ALL AUDIT: User \[%{GREEDYDATA:userId}\]\ %{GREEDYDATA:event} \[%{GREEDYDATA:filename}\]."
							]
				}
				
				
				if[event]=~"retrieving file"{
						add_tag=>["Download"]
					}else if["event"]=~"storing file"{
						add_tag=>["Upload"]
					}else if["event"]=~"has logged in"{
						add_tag=>["Login"]			
				}
				add_tag=>["log_ftp"]
			}
			
			}
     }

Nitin_gupta · July 19, 2017, 3:09pm

working now
now my if statements are outside of grok
and also removed double quotes in "event"

Topic		Replies	Views
Grok Pattern with If Condtion Logstash	2	329	March 18, 2019
Grok Expression in If condition Filter Logstash	5	8786	July 6, 2017
Why i cant use if statement in grock block? Logstash	6	384	May 18, 2018
Grok filter if condition issue Logstash	3	2430	July 6, 2017
Grok filter not working with if condition Logstash	1	355	December 18, 2018

Logstash GROK If statement

Related topics