Yep, I've come to the same conclusion so I used the Ruby filter. I still had problem with the IF-THEN though.
This is the config:
input { beats { port => 5044 } }
filter {
grok { match => { "@timestamp" => "(?<yyyymmdd>[0-9]{4}\-[0-9]{2}\-[0-9]{2})" } }
ruby {
code => "
event.set('matched', false)
inputfilename = File.basename(event.get('source'))
expectedfilename = 'logFile_ms0.' + event.get('yyyymmdd') + '.log'
if inputfilename == expectedfilename
event.set('matched', true)
end
"
}
mutate { add_field => { "evaluation" => "%{matched}" } } # debug
if ("%{matched}") { /* do something */ }
}
output { stdout {codec => rubydebug} }
Everything is good up to the IF.
The "matched" event is set correctly and the syntax "%{matched}" to read the value also seems correct as the field "evaluation" gets populated with the same value of "matched".
However, I've tried
- if ("%{matched}")
- if ("%{matched}" == "true")
- if ("%{matched}" =~ "true")
- if ("true" in "%{matched}")
- if ("%{matched} == true")
and few other combinations. None of them worked as expected as it enters the IF even when "matched" is false.
I'm feeling pretty stupid right now, I can't grasp how Logstash' syntax works 