Output When Data in Field is a Specific Value

Wilks · October 26, 2021, 9:17pm

Hi,
I want to know only output a field called network.application when it contains the value ALPHA but I am getting an error that

Expected one of [ \t\r\n], "#", "{" at line 152, column 7 (byte 3941) after output {
if [network][application] == "ALPHA" {
codec
[FATAL] 2021-10-26 17:07:00.423 [LogStash::Runner] Logstash - Logstash stopped processing because of an error: (SystemExit) exit

output {
if [network][application] == "ALPHA" {
codec => cef {
    reverse_mapping => true
    delimiter => "\r\n"
      fields => [
      "start",
      "end",
      "cs1",
      "cs2",
      "cs3",
      "cs4",
      "src",
      "act",
      "deviceProduct",
      "deviceVendor"
            ]
      
      vendor     => "TEST"
      product    => "ALPHa"
        }
}
}

its obviously the way the syntax ist but I can't figure it out. I just want to convert any log to CEF that has the network.application = ALPHA

thx

Badger · October 26, 2021, 9:43pm

You have not told it what output plugin to use. The compiler is interpreting codec as a plugin name (it would fail to load it later if it didn't fail here) and a plugin name cannot be followed by =>

Maybe

output {
    if [network][application] == "ALPHA" {
        file {
            codec => cef {

system · November 23, 2021, 9:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.