I see some other topics on partial matches for [message]. But, I can't find any topics on partial matches for [fields][value] that's sent from filebeat.
My situation is that I have the name of a program followed by a version as [fields][product] sent to logstash. It's ingested and displays as it should in Kibana. I want to run a different grok depending on the software that's in the [product] field. It seems partial matching isn't working against this field. I even tried regexp to match field to string.
Example [fields][product]:
Outlook 2019
"fields" => {
"product" => [
[0] "Outlook 2019"
],
"service" => "Service",
"env" => [
[0] "QA"
],
"customer" => [
[0] "customer1"
]
}
another one might be:
Outlook 2017
"fields" => {
"product" => [
[0] "Outlook 2017"
],
"service" => "Service",
"env" => [
[0] "QA"
],
"customer" => [
[0] "customer1"
]
}
Since the same customer could be using multiple versions of software, the desired configuration is that I can match on "Outlook" in the logstash "if" statement such as this:
if "Outlook" in [fields][product] {
grok {
...
}
}
That doesn't work for some reason. I've also tried:
if [fields][product] =~ /^Outlook/ {
grok {
...
}
}
Of course a full match works, like:
if "Outlook 2019" in [fields][product] {
grok {
...
}
}
but it leaves out the rest of the logs that are using a different version. Can someone point me in the right direction?