Logstash GROK If statement

Nitin_gupta · July 19, 2017, 1:17pm

Hi,

I am trying to configure logstash and below is my filter configuration .

Capturing event in grok statement and then checking whether event is equal to condition
but i am getting errors at if[event]=

is it possible to use if condition with event captured in grok statement ?

filter{
     if[source]=~"ftp.log"{
        grok{
         match=>{
                 "message"=>[
                 "\[%{TIMESTAMP_ISO8601:timestamp}\] ALL AUDIT: User \[%{GREEDYDATA:userId}\]\ %{GREEDYDATA:var} \[%{HOSTNAME:ip}\] %{GREEDYDATA:event}.",
                 "\[%{TIMESTAMP_ISO8601:timestamp}\] ALL AUDIT: User \[%{GREEDYDATA:userId}\]\ %{GREEDYDATA:event} \[%{GREEDYDATA:filename}\]."
							]
				}
				
				
				if[event]=~"retrieving file"{
						add_tag=>["Download"]
					}else if["event"]=~"storing file"{
						add_tag=>["Upload"]
					}else if["event"]=~"has logged in"{
						add_tag=>["Login"]			
				}
				add_tag=>["log_ftp"]
			}
			
			}
     }

Nitin_gupta · July 19, 2017, 3:09pm

working now
now my if statements are outside of grok
and also removed double quotes in "event"

system · August 16, 2017, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Expression in If condition Filter Logstash	5	8713	July 6, 2017
Grok with Else conditionals. How? Logstash	8	5693	December 9, 2016
If conditional statement field source Logstash	2	1850	July 26, 2017
Why i cant use if statement in grock block? Logstash	6	348	May 18, 2018
Logstash conf file if else condition is not working Logstash	3	403	April 8, 2019

Logstash GROK If statement

Related topics