Logstash if condition regex not working

Hi,

I'm trying to use regex in the if condition in logstash.

My goal is to send the output into 2 different indexes basing on what the field "tags" contains.

So far I had no luck with it. Logstash simply ignores my condition and goes to else.

I tried even filtering using: if [tags] =~ /.*/ {} and even this does not work. although I always have some tag in my message.

Please help!
config

You need to share what your configuration looks like.

1 Like

Hi, I just updated it with my condig.

Hi @Gosia96 , could you provide your sample input configuration too

You can use exact word like _grokparsefailure or just failure
if "_grokparsefailure" in [tags] { code... )

output {
 if (("_grokparsefailure" in [tags]) or ("_groktimeout" in [tags]) )  {
    elasticsearch { ...}
 }
}

Also you can use regex for fields:

  • start with a word failure:
    if ([field]=~ /\Afailure/) { ... }

  • contain a word failure
    if ([field]=~ /\bfailure\b/ { ... }

1 Like

Hi,

This also does not work for me.

confif

You cannot use =~ to iterate over an array. I would do it in ruby

    ruby {
        code => '
            tags = event.get("tags")
            if ! tags ; tags = [] ; end
            event.set("failed", tags.any? { |x| x =~ /failure\b/ })
        '
    }
2 Likes

Use this:
if ("_checkpoint_grok_failure" in [tags]) { .. }

=~ does not work for me even if there is no array - the 2 other tags were only my test-tags. After I removed it, it still does not work.

Could u elaborate how I could use your ruby code to get my result? I need to sent the message into different index if my tag contains the word "failure" and I never used ruby in my life.

That could be because your regexp is wrong. _grokparsefailure does not have a \b before failure.

If you add the ruby filter to your configuration then you could also add

if [failed] {
    mutate { add_tag = [ "DO NOT WORKS" ] }
} else {
    mutate { add_tag = [ "Works" ] }
}

Thank you for your help, this worked!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.