Logstash if condition

Hey, i'm new to logstash and got stuck while trying to create an if condition...

The structure of my if condition:

    if ([process][executable] not in [processes]["%{[process][hash][md5]}"][paths]) {
     ....
    }

when I try to use this configuration logstash will not start and response with an error about the structure of the condition.

to test it, I wrote a possible value and it worked:

    if ([process][executable] not in [processes][5746bd7e255dd6a8afa06f7c42c1ba41][paths]) {
     ....
    }

to be more specific, I did use this phrase at the rest of my code:
[processes]["%{[process][hash][md5]}"][paths]

any ideas?

As you have found, you cannot use a sprintf reference directly in a conditional, and I do not think you can use nested sprintf references such as

%{[processes]["%{[process][hash][md5]}"][paths]}

Something you could try is

ruby {
    code => '
        hash = event.get("[process][hash][md5]")
        paths = event.get("[processes][#{hash}][paths]")
        event.set("[@metadata][paths]", paths)
    '
}
if [process][executable] not in [@metadata][paths] {

thank you for the quick response!

I am not sure if "event.set" copies the data or just points to the given field.
the field i am referring to ("paths") may include a large set of data, so copying it may not be the best solution.

isn't there any option to use temporary varriables \ pointers?

edit:
maybe there is a way to "check" the condition via ruby code and update a boolean as a field in the metadata section?

Assuming you are using 'not in' as an array membership test and not a sub-string match, you could try

code => '
    hash = event.get("[process][hash][md5]")
    paths = event.get("[processes][#{hash}][paths]")
    exe = event.get("[process][executable]")
    event.set("[@metadata][exeFound]", paths.include?(exe))
'

Thank you so much.
it was the exact solution I was looking for.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.