Logstash pipeline multiple if statements

Robin020 · October 14, 2021, 2:25pm

Hello,

I am trying create multiple if statements in the filter section in my pipeline config but I have no success with that.

This works (with one if statement)

filter {
  json {
      source => "message"
  }
  split { field => "[data][TABLE_neighbor][ROW_neighbor]"  }

  if "172.1.1.1" in [host] or "172.1.1.2" in [host] or "172.1.1.3" in [host] or "172.1.1.4" in [host] {
      mutate {
          add_tag => [ "test" ]
      }
}
}

This doesn't work:

filter {
  json {
      source => "message"
  }
  split { field => "[data][TABLE_neighbor][ROW_neighbor]"  }

  if "172.1.1.1" in [host] or "172.1.1.2" in [host] or "172.1.1.3" in [host] or "172.1.1.4" in [host] {
      mutate {
          add_tag => [ "test" ]
      }
}
  if "true" in [data.TABLE_neighbor.ROW_neighbor.up] {
      mutate {
           add_field => { "testfield" => "1"  }
      }
}
}

What wrong with this filter? How can I use multiple if statements for different fields?

Regards,
Robin

Badger · October 15, 2021, 5:02pm

Your split filter suggests you have a field called [data][TABLE_neighbor][ROW_neighbor] (in elasticsearch or kibana you would call that data.TABLE_neighbor.ROW_neighbor) so it seems likely that your second if should be

if "true" in [data][TABLE_neighbor][ROW_neighbor][up] {

system · November 12, 2021, 5:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.