Need help with a NOT in if statement, is it "not" or "!"?

        # filter out local ips
        if !([http][request][headers][CF-Connecting-IP] =~ "^10.0.*" or [http][request][headers][CF-Connecting-IP] =~ "^127.0.*" or [http][request][headers][CF-Connecting-IP] == "0.0.0.0") {
            geoip {
                  source => "[http][request][headers][CF-Connecting-IP]"
                  target => "[client][geo]"
                  tag_on_failure => ["geoip-city-failed"]
              }
        }

if not (...) is throwing an error.

the if !() is not throwing an error, but allowing empty fields to go through the if statement, creating the "geoip-city-failed" tag.

I see this Accessing event data and fields in the configuration | Logstash Reference [8.1] | Elastic mentioniong Expressions can be long and complex. Expressions can contain other expressions, you can negate expressions with !, and you can group them with parentheses (...).

But why is my not statement not working?

I need to add an additional check if that field exists.

if [http][request][headers][CF-Connecting-IP] and !([http][request][headers][CF-Connecting-IP] =~ "^10.0.*" or [http][request][headers][CF-Connecting-IP] =~ "^127.0.*" or [http][request][headers][CF-Connecting-IP] == "0.0.0.0") {

In an if statement you use ! for NOT. The exception is the "not in" operator which is the opposite of an "in" operator.

Yes, if the field does not exist then the Java code will return false, and the ruby code treats that as a failure. Most filters are a no-op if the source field does not exist, but the geoip filter is different.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.