Logstash if condition


#1

I have some data that comes in and using the ipaddress to get hold of geo details using geoip.

What I found is my add_field adds the field below if it finds a region for example

"region_name": "CA",
although if one does not exist in the dat file the data comes in Elastic as:
"regionName": "%{[geometry][region_name]}"

I rather it be null then have the parameter value.

My logstash config has the below:

mutate {
add_field => ["[regionName]", "%{[geometry][region_name]}"]

}

I tried the following as a test, which I assumed checked if a region existed as a property then add a field, but apparently this is not the case, appears when I do the following it just adds blob2 as a field when it finds geometry

if "{[geometry][region_name]}" { mutate { add_field => { "blob2" => "Testing" }}}

Thanks


#2

Not sure why undefined> is coming up in the above syntax, ignore that.


(Magnus Bäck) #3

If you move the add_field to the geoip filter itself things should work since it'll only be processed if the filter is successful, which in the geoip case should mean that it found a match for the IP address.

filter {
  geoip {
    ...
    add_field => ["regionName", "%{[geometry][region_name]}" }
  }
}

#4

Thanks Magnus for responding I tried that, but data came back as below, the regionName comes back with the parameter:

"geometry": {
"country_code2": "US",
"country_code3": "USA",
"country_name": "United States",
"continent_code": "NA",
"latitude": 38,
"longitude": -97,
"dma_code": 0,
"area_code": 0,
"location": [
-97,
38
],
"coordinates": [
-97,
38
],
"type": "Point"
},
"regionName": "%{[geometry][region_name]}",

The below was the very first draft of the add_field which is why I assumed I had to do a mutate, if condition on the data, as oppose to adding it in the geoip.

geoip {
source => "ipAddress"
target => "geometry"
database => "/etc/logstash/GeoLiteCity.dat"
add_field => ["regionName", "%{[geometry][region_name]}" ]
add_field => ["countryName", "%{[geometry][country_name]}"]
add_field => ["countryCode", "%{[geometry][country_code3]}"]
}


(Magnus Bäck) #5

Oh, okay. It seems the various fields (like region_name) aren't always set. In that case your original attempt with a conditional was a good option, just with the wrong syntax. Try this:

if [geometry][region_name] {
  mutate {
    add_field => { "blob2" => "Testing" }
  }
}

(Won't work as expected if the field whose existence if being checked exists and contains a false boolean value.)


#6

Thanks, you were right it was my syntax, now fixed to:

if [geometry][region_name] {
mutate {
add_field => [ "regionName", "%{[geometry][region_name]}" ]
}
}


(system) #7