Logstash if >= causes logstash to crash


I am on ES 7.9.2, i am writing a logstash parser to add a severity based on the risk level.
The risk_score is between 0-10 and can be to 1 decimal place

mutate {
convert => { "risk_score" => "float" }
if [risk_score] == 0 {
          mutate {
            add_field => { "[vulnerability][severity]" => "info" }

With == 0 and a risk_score of 9.3 logstash is ok. If i use >= then logstash will stop processing events.

if [risk_score] >= 6 and [risk_score] < 7
          mutate {
            add_field => { "risk_level" => "critical" }

I cannot see what i am doing wrong with this or why it is failing. Any ideas?

I tried converting to integer but it still failed, once i removed the if code and restarted logstash the events came through but risk_score was still a decimal.

You know you are missing a { on the if line, right?


sorry thats my poor copy/paste. Logstash is refreshing with success, its only when an event that hits that part of the pipeline it fails.

Ive found another post that states that mutate runs in a specific order, its possible that the convert happens to early in the mutate. Ive seperated the convert into a seperate mutate and see what happens.

Problem solved, the mutate built in order was the issue, seperate mutate after with the convert and the if statements are working.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.