Match specific word in grok filter

naveenrt23 · July 25, 2019, 7:00pm

I have a log message which is composed of multiple values joined by pipes.
20190615|4|method|userend|/test/value/123/1.1|500|2

mY grok filter:

  mutate {
        add_field => {
          "[@metadata][copyOfMessage]" => "%{[message]}"
        }
      }
      # split message
      mutate {
        split => {
          "[@metadata][copyOfMessage]" => "|"
        }
      }
      if [@metadata][copyOfMessage][4] =~ /^\/test/  { 

grok {
    # Enable multiple matchers
    break_on_match => false

    match => { "message" => "%{DATA:timestamp_local}\|%{NUMBER:duration}\|%{WORD:requesttype}\|%{DATA:username}\|%{DATA:resource}\|%{NUMBER:statuscode}\|%{NUMBER:bytes}" }

    # Extract repo and path
    match => { "resource" => "/%{DATA:repo}/%{GREEDYDATA:resource_path}"}

    # Extract resource name
    match => { "resource_path" => "(?<resource_name>[^/]+$)" }
    
}
}

For some reason, my IF condition doesn't work perfectly and that block gets executed for every word which starts with "test".

My initial requirement was to send a message through grok filter only if [@metadata][copyOfMessage][4] =~ /^/test/ is true but the filter gets executed if the 5th value is "testing" or "tester". I only need to send the message through the filter if the 5th value is "test"

So,

I have tried something like below,

[@metadata][copyOfMessage][4] =~ /^/test/ and [@metadata][copyOfMessage][5] =~ /^/value/
and the whole block doesnt get exectued.

what can I do to match the exact word "test"?

Badger · July 25, 2019, 7:43pm

This tests whether it matches a regexp. If you want an exact string comparison then use

if [@metadata][copyOfMessage][4] == "test"

If you want to test whether the string starts with /test/ then use

if [@metadata][copyOfMessage][4] =~ /^\/test\//

system · August 22, 2019, 7:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.