quick question:
Would this be the correct way to place multiple expressions in a single condition?
if [EMS_Identifier] == "monitor.globalStatus.nonCritical" and "disk" in [syslog_message] and "failed" in [syslog_message] {
mutate {
add_tag => ["RAID_Disk_FAILED"]
}
}
Yes, that looks okay.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.