Output based on grok message

I am trying to output based on different sysloghosts

input {
  udp {
    port => 5010
    type => "obs_test_udp"
 }
}
filter {
  grok {
    match => {"message" => "<%{POSINT:syslog_priority}>%{POSINT:syslog_version} %{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:sysloghost}"}
  }
}
output {
  if [sysloghost] in ["10.3.0.20", "10.2.0.12"] {
    file {
        path => "/usr/share/logstash/log/bob.log"
      }
  }
  else if [sysloghost] in ["bk-bot-bot"] {
    file {
        path => "/usr/share/logstash/log/alice.log"
      }
  }
  else {
    file {
        path => "/usr/share/logstash/log/ohno.log"
      }
  }
}

I can see the sysloghost file in the ohno log file, but I cannot filter based on it

{"host":"10.101.192.143","syslog_version":"1","@timestamp":"2024-01-09T16:10:43.649810154Z","message":"<13>1 2024-01-09T11:10:43.755197-05:00 bk-bot-bot bk - - [timeQuality tzKnown=\"1\" isSynced=\"1\" syncAccuracy=\"30500\"] Medford is kewl","sysloghost":"bk-bot-bot","timestamp":"2024-01-09T11:10:43.755197-05:00","@version":"1","type":"obs_test_udp","syslog_priority":"13"}

  else if [sysloghost] in ["bk-bot-bot"] {

apparently the in condition doesn't work on a single string in an array.

  else if [sysloghost] in ["bk-bot-bot", "bo dylan"] {

worked as expected

If I'm not wrong you need to invert when you want to test just one value.

if "bk-bot-bot" in [sysloghost]

Check the examples in the documentation.

Or you can use just if [sysloghost] == "bk-bot-bot"

See issues 9932 and 5591 on github.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.