Need help with conditional only if field contains a period

pcharles1 · September 13, 2021, 9:41pm

I'm trying to grok the host name field only if it contains a period using the conditional below:
if ([host][name] =~ ".") { grok host.name field }

For some reason, when the host name field doesn't contain a period, I get _grokparsefailure. I'm confused as to why this is happening. I would think if there's no period, the conditional won't be satisfied & the grok statement won't be executed. It seems like it is anyway.

I also tried this & it produces the same outcome
if ([host][name] =~ /./) { grok host.name field }

Any advice?

leandrojmp · September 13, 2021, 10:22pm

From the documentation:

regexp: =~ , !~ (checks a pattern on the right against a string value on the left)

So, the expression =~ "." or =~ /./ will make it match anything.

The conditional that you need to use in this case is:

if "." in [host][name]  { grok [host][name] field }

This will check if a literal . is a substring of the field [host][name].

pcharles1 · September 14, 2021, 1:04pm

That did the trick. Thanks @leandrojmp

system · October 12, 2021, 1:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
If conditional statement field source Logstash	2	1850	July 26, 2017
Issues with if statement, grok, and mutate Logstash	1	3381	July 6, 2017
IF Statement being ignored Logstash	3	333	September 27, 2018
Grok until first period Logstash	5	1426	September 3, 2019
If conditional on nested field with IP address Logstash	10	3724	April 21, 2020

Need help with conditional only if field contains a period

Related topics