Hi,
I'm trying to use regex in the if condition in logstash.
My goal is to send the output into 2 different indexes basing on what the field "tags" contains.
So far I had no luck with it. Logstash simply ignores my condition and goes to else.
I tried even filtering using: if [tags] =~ /.*/ {} and even this does not work. although I always have some tag in my message.
Please help!
You need to share what your configuration looks like.
Hi, I just updated it with my condig.
Hi @Gosia96 , could you provide your sample input configuration too
You can use exact word like _grokparsefailure or just failure
if "_grokparsefailure" in [tags] { code... )
output {
if (("_grokparsefailure" in [tags]) or ("_groktimeout" in [tags]) ) {
elasticsearch { ...}
}
}
Also you can use regex for fields:
start with a word failure:
if ([field]=~ /\Afailure/) { ... }
contain a word failure
if ([field]=~ /\bfailure\b/ { ... }
You cannot use =~ to iterate over an array. I would do it in ruby
ruby {
code => '
tags = event.get("tags")
if ! tags ; tags = [] ; end
event.set("failed", tags.any? { |x| x =~ /failure\b/ })
'
}
Use this:
if ("_checkpoint_grok_failure" in [tags]) { .. }
=~ does not work for me even if there is no array - the 2 other tags were only my test-tags. After I removed it, it still does not work.
Could u elaborate how I could use your ruby code to get my result? I need to sent the message into different index if my tag contains the word "failure" and I never used ruby in my life.
That could be because your regexp is wrong. _grokparsefailure does not have a \b before failure.
If you add the ruby filter to your configuration then you could also add
if [failed] {
mutate { add_tag = [ "DO NOT WORKS" ] }
} else {
mutate { add_tag = [ "Works" ] }
}
Thank you for your help, this worked!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.