Match field to string in IF statement

No_Executable · March 21, 2018, 10:01am

I am trying to push different log types through the same logstash config file. I have managed to get the log type from the path and filename into a separate field and now I want it to run different sets of configurations depending on the new logtype field.

filter {
	grok {
		match => {"source" => "%{GREEDYDATA:path}\\%{GREEDYDATA:logtype}.w3wp.default.%{GREEDYDATA:filetimestamp}.log"}
	}
	xml {
        	source => 'message'
        	target => 'doc'
    }
	if ("[logtype]" == "Commandusage") {
		mutate {
			split => {"[doc][Message]" => "	"}
    	}
	}
	else if ("[logtype]" == "ClientErrors") {
		mutate {
			split => {"[doc][Message]" => ". "}
		}
	}
}

It runs without error but it ignores the if statements and doesn't split [doc][Message] in either way.

No_Executable · March 21, 2018, 10:45am

Turns out I brainfarted real bad and missed that that's not how the if statements should look like.

Changed them to

if ("Commandusage" in [logtype]) {
	mutate {
		split => {"[doc][Message]" => "	"}
	}
}
else if ("ClientErrors" in [logtype]) {
	mutate {
		split => {"[doc][Message]" => ". "}
	}
}

and it works now

system · April 18, 2018, 10:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.