Logstash "if" condition not working as expected

Elastic Stack Logstash
1

Below is my input message to logstash

{
	"object2": "",
	"headers": {
		"request_path": "/",
		"request_method": "POST",
		"http_accept": "*/*",
		"content_type": "application/json; charset=utf-8",
		"http_version": "HTTP/1.1",
		"http_user_agent": null,
		"content_length": "859",
		"http_host": "XXXXXXXXXXXXX"
	},
	"host": "xxxxxxx",
	"logger_name": "awx.analytics.activity_stream",
	"summary_fields": {
		"actor": {
			"username": "xxx.xxx@xxx.com",
			"first_name": "xxx",
			"id": 999,
			"last_name": "xxx"
		},
		"credential": [{
			"kind": "ssh",
			"cloud": false,
			"credential_type_id": 1,
			"description": "test sr_xxx for activity streams 44671112213",
			"kubernetes": false,
			"name": "xx_xxx_test",
			"id": 999
		}]
	},
	"@version": "1",
	"@timestamp": "2021-05-31T10:02:20.745Z",
	"level": "INFO",
	"cluster_host_id": "xxxxxxxxxx",
	"message": "Activity Stream update entry for xxxxxxxx",
	"stack_info": null,
	"operation": "update",
	"actor": "xxx@xxx.com",
	"changes": {
		"description": ["test sr_xxx for activity streams 4144671112213", "test sr_xxx for activity streams 44671112213"]
	},
	"object1": "credential",
	"relationship": "",
	"tower_uuid": null

and below is my logstash config

    input {
      http {
        port => 5000
        codec => json
        ssl => true
        ssl_certificate_authorities => "/etc/ssl/elastic/elastic.crt"
        ssl_certificate => "/etc/ssl/elastic/elastic.crt"
        ssl_key => "/etc/ssl/elastic/elastic.key"
        ssl_verify_mode => "peer"
      }
    }
    output {
      elasticsearch {
        hosts => ["xxx.xxx.xxx.xxx:9200"]
      }
      stdout { codec => rubydebug }
      #stdout { codec => json }
      if [changes][description] =~ /test sr_xxx for activity streams/ {
          file { path => "/tmp/sr_output.txt" }
      }
    }

I expect the input message to be written to the file /tmp/sr_output.txt but it's not being written.

Any idea as to why?

2

It looks like that your field changes.description is an array.

"changes": {
		"description": ["test sr_xxx for activity streams 4144671112213", "test sr_xxx for activity streams 44671112213"]
	}

So, to access its values you would need to use [changes][description][0], but this will only work for the first item in the array, but it seems that this array has only one item.

You could also use the split filter in the field changes.description, it would create an event for every item in this array, with only one item in the array it would just flatten this field.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.