Logstash if >= causes logstash to crash

probson · September 30, 2020, 4:59pm

Hi,

I am on ES 7.9.2, i am writing a logstash parser to add a severity based on the risk level.
The risk_score is between 0-10 and can be to 1 decimal place

mutate {
convert => { "risk_score" => "float" }
        }
if [risk_score] == 0 {
          mutate {
            add_field => { "[vulnerability][severity]" => "info" }
          }
        }

With == 0 and a risk_score of 9.3 logstash is ok. If i use >= then logstash will stop processing events.
ie

if [risk_score] >= 6 and [risk_score] < 7
          mutate {
            add_field => { "risk_level" => "critical" }
        }
      }

I cannot see what i am doing wrong with this or why it is failing. Any ideas?

I tried converting to integer but it still failed, once i removed the if code and restarted logstash the events came through but risk_score was still a decimal.

Badger · September 30, 2020, 6:15pm

You know you are missing a { on the if line, right?

probson · September 30, 2020, 6:44pm

@Badger

sorry thats my poor copy/paste. Logstash is refreshing with success, its only when an event that hits that part of the pipeline it fails.

Ive found another post that states that mutate runs in a specific order, its possible that the convert happens to early in the mutate. Ive seperated the convert into a seperate mutate and see what happens.

probson · September 30, 2020, 7:07pm

Problem solved, the mutate built in order was the issue, seperate mutate after with the convert and the if statements are working.

https://discuss.elastic.co/t/howto-integer-comparison-in-logstash-filter/175675/2

system · October 28, 2020, 7:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.