Logstash If statement and grok not working

ankitdevnalkar · April 29, 2021, 8:51pm

I am using following if statement, not sure what is wrong here, it is giving me _mutate_error.
Does the / cause this error?

if [operationName] == "MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE"
        {
            mutate {
                add_field => { "Signal" => "A resource group deletion operation has %{[resultSignature]} by the user %{[identity][claims]http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress]}"}
		add_field => { "Priority" => "HIGH"}
                add_field => { "category" => "Resource"}
            }
        }

Also, getting _grokparsefailurein tag, grok filter is as follows :

if "RESOURCEGROUPS" in [resourceId]
{
                grok
                {
                match => {"[resourceId]" => ".*resourceGroups/%{USERNAME:resourceGroupName}.*"}
                }
                
}

Can anyone help ?

Badger · April 29, 2021, 9:25pm

%{[identity][claims]http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress]}

That is not a valid field reference.

What does the [resourceId] field look like?

grok patterns are not anchored, so the .* at the start and end are not needed.

ankitdevnalkar · April 30, 2021, 4:10am

@Badger thanks for getting back.

resourceId data is as follows:
/SUBSCRIPTIONS/AC015FE2-22FA-4D11-8E84-275FE7123A28/RESOURCEGROUPS/TEST

ankitdevnalkar · April 30, 2021, 4:52am

I got it !
I was searching for resourceGroups in grok but it is in caps RESOURCEGROUPS I changed grok pattern to .*RESOURCEGROUPS/%{USERNAME:resourceGroupName}.* and now it is working.

system · May 28, 2021, 4:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.