Logstash if condition issue

ruranga · October 31, 2017, 7:15am

I have configured logstash filter as follows. But following filed "NFC_APP_TYPE" (newly added filed by using a if condition) doesn't appear in Kibana dash board

filter{
.........

if [AppCode] == "505050" {
mutate {add_field => [ "NFC_APP_TYPE", "SEMA" ]}
}else if [AppCode] == "404040" {
mutate {add_field => [ "NFC_APP_TYPE", "TRAVEL WP" ]}
}else{
}

}

But filed called AppCode appears as following picture

Following is my pattern. This 'AppCode' filed is defined under keyvalue named as %{GREEDYDATA:nfckeyvalues}

%{EXIM_DATE:NFC_POS_TIME}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{WORD}=%{INT:POS}%{NOTSPACE:RES}=%{INT},%{SPACE}%{GREEDYDATA:nfckeyvalues}

sample log:

2017-10-18 00:14:10,861 [queueJobSchedulerPrivate_Worker-23] INFO TICKET_INFO - POS=80019642|RECIVED_TO_QUEUE|message=PRIVATE|LastTckSerialHeader=196420214628, ResponseBMCode=TX_SUCCESS, LastTktRefNo=214561, TransactionType=6, TransactionSubType=0, PinReq=0, Pin=0, CvcReq=0, Cvc=0, AppCode=505050, CompanyId=1, SubAppId=0, Amount=10.0, PreBal=1483.5, PostBal=1473.5, StartLoc=1, EndLoc=2, PosTrnxTime=2017-10-17 18:15:54, IsNFC=1, TckSerial=196420214561, TckCountFull=1, TckCountHalf=0, TckCountLug=0, RouteDbId=956, TripDirection=1, TripId=3843, CardType=1, WayBillNo=0, Status=1, MerchantNo=00002495, ResponseTGCode=0, ResponseTGDesc=NO, ResponseCMSCode=8, ResponseCMSDesc=POS is not registered in the CMS, ResponseBMDesc=Duplicate Entry found, ResponseNBCode=0, ResponseNBDesc=null, TransactionID=36571948, MessageRecievedTime=2017-10-17 19:24:07, TimeDif=0, LastUpdateDate=2017-10-18 00:14:10, HeaderStatus=4, MessageSentTime=2017-10-18 00:14:08.0, EntCodeHeader=null, AppCodeHeader=505050, PosCodeHeader=80019642, PosTypeHeader=0, TnxTypeHeader=6, TxnNumHeader=null, IsNFCHeader=0, TxnTimeHeader=2017-10-17 19:23:56.0, RecCountHeader=35, FieldCountHeader=0, IsOnline=0, Did=7720171140, Uid=0469700A494380, ErrorCount=2, errCode=0, refCode=null

magnusbaeck · October 31, 2017, 7:21am

Is AppCode numeric or a string? See Logstash filter not working. Probably my fault :D.

ruranga · October 31, 2017, 7:23am

It's a string

magnusbaeck · October 31, 2017, 10:07am

Really? Please show an example document. Copy/paste from Kibana's JSON tab.

ruranga · November 3, 2017, 5:21am

" AppCode": "505050",

Extremely sorry for the delay

magnusbaeck · November 3, 2017, 6:21am

Okay, looks good. What does your complete configuration look like? Is the grok filter that extracts the AppCode field located prior to the conditional that doesn't appear to be firing?

ruranga · November 3, 2017, 8:01am

Yes it's after the grok filter

if [source] =~ "gateway_tickets_info_" {
if "MATCHED" not in [tags]{
grok {

			patterns_dir => ["/apps/logstash-5.1.2/conf/patterns"]
			match => ["message", "%{NFC_POS}"]
			add_field => [ "SYS", "nfc_pos" ]
			add_tag => ["MATCHED"]
                            remove_tag => ["_grokparsefailure"]
		}
		
    }else{
	}
	
	
}

#date for NFC POS

date {
match => [ "NFC_POS_TIME" , "YYYY-MM-dd HH:mm:ss,SSS" ]
target => "NFC_POS_TIME"
}

kv {
source => "nfcposkeyval"
field_split => ","
}

#NFC POS Tx type mapping

if [AppCode] == "505050" {
mutate {add_field => [ "NFC_APP_TYPE", "SEMA" ]}
}else if [AppCode] == "404040" {
mutate {add_field => [ "NFC_APP_TYPE", "TRAVEL WP" ]}
}else{
}

grok pattern in /apps/logstash-5.1.2/conf/patterns

NFC_POS %{EXIM_DATE:NFC_POS_TIME}%{SPACE}%{NOTSPACE}%{SPACE}INFO TICKET_INFO - POS=%{INT:POS}|RECIVED_TO_QUEUE|message=PRIVATE|LastTckSerialHeader=%{INT:LastTckSerialHeader},%{SPACE}%{GREEDYDATA:nfcposkeyval}

Sample log

2017-10-18 00:12:31,870 [queueJobSchedulerPrivate_Worker-20] INFO TICKET_INFO - POS=80008999|RECIVED_TO_QUEUE|message=PRIVATE|LastTckSerialHeader=089990033718, ResponseBMCode=TX_SUCCESS, LastTktRefNo=33685, TransactionType=6, TransactionSubType=0, PinReq=0, Pin=0, CvcReq=0, Cvc=0, AppCode=505050, CompanyId=1, SubAppId=0, Amount=20.0, PreBal=2176.5, PostBal=2156.5, StartLoc=8, EndLoc=4, PosTrnxTime=2016-12-08 06:29:08, IsNFC=1, TckSerial=089990033685, TckCountFull=1, TckCountHalf=0, TckCountLug=0, RouteDbId=EA, TripDirection=2, TripId=467, CardType=1, WayBillNo=0, Status=1, MerchantNo=00002256, ResponseTGCode=0, ResponseTGDesc=NO, ResponseCMSCode=8, ResponseCMSDesc=POS is not registered in the CMS, ResponseBMDesc=Duplicate Entry found, ResponseNBCode=0, ResponseNBDesc=null, TransactionID=11149510, MessageRecievedTime=2016-12-08 06:57:15, TimeDif=0, LastUpdateDate=2017-10-18 00:12:31, HeaderStatus=4, MessageSentTime=2017-10-18 00:11:51.0, EntCodeHeader=null, AppCodeHeader=505050, PosCodeHeader=80008999, PosTypeHeader=0, TnxTypeHeader=6, TxnNumHeader=null, IsNFCHeader=0, TxnTimeHeader=2016-12-08 06:57:04.0, RecCountHeader=36, FieldCountHeader=0, IsOnline=0, Did=7720214191, Uid=04853972974980, ErrorCount=1, errCode=0, refCode=null

magnusbaeck · November 3, 2017, 8:20am

" AppCode": "505050",

There's a leading space in the field name.

ruranga · November 3, 2017, 9:00am

Thank you very much for the prompt response!!!
It's working now.
Didn't see that space which appear due to split key values only with ","
Thanks again! (Y)

system · December 1, 2017, 9:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.