Logstash if condition regex not working

Gosia96 · July 27, 2022, 10:15am

Hi,

I'm trying to use regex in the if condition in logstash.

My goal is to send the output into 2 different indexes basing on what the field "tags" contains.

So far I had no luck with it. Logstash simply ignores my condition and goes to else.

I tried even filtering using: if [tags] =~ /.*/ {} and even this does not work. although I always have some tag in my message.

Please help!
config

leandrojmp · July 27, 2022, 11:36am

You need to share what your configuration looks like.

Gosia96 · July 27, 2022, 12:17pm

Hi, I just updated it with my condig.

lzold_z · July 29, 2022, 3:31am

Hi @Gosia96 , could you provide your sample input configuration too

Rios · July 29, 2022, 6:14am

You can use exact word like _grokparsefailure or just failure
if "_grokparsefailure" in [tags] { code... )

output {
 if (("_grokparsefailure" in [tags]) or ("_groktimeout" in [tags]) )  {
    elasticsearch { ...}
 }
}

Also you can use regex for fields:

start with a word failure:
if ([field]=~ /\Afailure/) { ... }
contain a word failure
if ([field]=~ /\bfailure\b/ { ... }

Gosia96 · July 31, 2022, 8:28pm

Hi,

This also does not work for me.

confif

Badger · July 31, 2022, 9:00pm

You cannot use =~ to iterate over an array. I would do it in ruby

    ruby {
        code => '
            tags = event.get("tags")
            if ! tags ; tags = [] ; end
            event.set("failed", tags.any? { |x| x =~ /failure\b/ })
        '
    }

Rios · August 1, 2022, 3:12am

Use this:
if ("_checkpoint_grok_failure" in [tags]) { .. }

Gosia96 · August 1, 2022, 6:36am

=~ does not work for me even if there is no array - the 2 other tags were only my test-tags. After I removed it, it still does not work.

Could u elaborate how I could use your ruby code to get my result? I need to sent the message into different index if my tag contains the word "failure" and I never used ruby in my life.

Badger · August 1, 2022, 1:01pm

That could be because your regexp is wrong. _grokparsefailure does not have a \b before failure.

If you add the ruby filter to your configuration then you could also add

if [failed] {
    mutate { add_tag = [ "DO NOT WORKS" ] }
} else {
    mutate { add_tag = [ "Works" ] }
}

Gosia96 · August 1, 2022, 1:56pm

Thank you for your help, this worked!

system · August 29, 2022, 1:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
If condition regex error Logstash	2	356	February 10, 2021
How to put condition based on certain string in [message]? Logstash	7	17429	May 8, 2018
Logstash if statement with regex example Logstash	7	18265	March 21, 2017
Can I use pattern in Logstash output plugin Logstash	13	277	February 7, 2023
Logstash does not parse if 'if' condition change Logstash	6	248	September 21, 2022

Logstash if condition regex not working

Related Topics