Hi,
I'm trying to use regex in the if condition in logstash.
My goal is to send the output into 2 different indexes basing on what the field "tags" contains.
So far I had no luck with it. Logstash simply ignores my condition and goes to else.
I tried even filtering using: if [tags] =~ /.*/ {} and even this does not work. although I always have some tag in my message.
Please help!
leandrojmp
(Leandro Pereira)
July 27, 2022, 11:36am
2
You need to share what your configuration looks like.
1 Like
Hi, I just updated it with my condig.
lzold_z
(lzold z)
July 29, 2022, 3:31am
4
Hi @Gosia96 , could you provide your sample input configuration too
Rios
(Rios)
July 29, 2022, 6:14am
5
You can use exact word like _grokparsefailure or just failure
if "_grokparsefailure" in [tags] { code... )
output {
if (("_grokparsefailure" in [tags]) or ("_groktimeout" in [tags]) ) {
elasticsearch { ...}
}
}
Also you can use regex for fields:
1 Like
Hi,
This also does not work for me.
Badger
July 31, 2022, 9:00pm
7
You cannot use =~ to iterate over an array. I would do it in ruby
ruby {
code => '
tags = event.get("tags")
if ! tags ; tags = [] ; end
event.set("failed", tags.any? { |x| x =~ /failure\b/ })
'
}
2 Likes
Rios
(Rios)
August 1, 2022, 3:12am
8
Use this:
if ("_checkpoint_grok_failure" in [tags]) { .. }
=~ does not work for me even if there is no array - the 2 other tags were only my test-tags. After I removed it, it still does not work.
Could u elaborate how I could use your ruby code to get my result? I need to sent the message into different index if my tag contains the word "failure" and I never used ruby in my life.
Badger
August 1, 2022, 1:01pm
10
That could be because your regexp is wrong. _grokparsefailure does not have a \b before failure.
If you add the ruby filter to your configuration then you could also add
if [failed] {
mutate { add_tag = [ "DO NOT WORKS" ] }
} else {
mutate { add_tag = [ "Works" ] }
}
Thank you for your help, this worked!
system
(system)
Closed
August 29, 2022, 1:57pm
12
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.