Regex in filter plugin not working

srbhklkrn · January 10, 2020, 5:05pm

Hello,

I'm trying to tag one host by using syslog5424_host but it's not matching anything.

First, can I tag syslog5424_host? if yes can I use it directly in the output section and forward it to the destination instead of first tagging and then by using tag send it to the destination?

filter {
  if [syslog5424_host] = ~ /^sharedservices.prod.authorization-prod(...)/ {
    mutate {
      add_tag => ["Prod_Auth"]
    }
  }
}

The string I'm trying to match : sharedservices.prod.authorization-prod-16

Badger · January 10, 2020, 7:23pm

Have you tried removing the parentheses around the three periods?

srbhklkrn · January 10, 2020, 7:25pm

Yeah I did

I tried this as well : ^sharedservices.prod.authorization-prod.* its matching in ruby regex tester but not in logstash

Badger · January 10, 2020, 7:50pm

If you use

output { stdout { codec => rubydebug } }

what does that field look like?

srbhklkrn · January 10, 2020, 7:56pm

How do I see stdout in terminal?

Badger · January 10, 2020, 8:21pm

If you are running as a service then you could try using a file output with a rubydebug codec.

srbhklkrn · January 10, 2020, 8:57pm

I got it working I was forget to escape period

here is the working regex

^sharedservices\.prod\.authorization.*

Badger · January 10, 2020, 9:22pm

But period in a regexp matches anything, including a period. It has to be the change at the end of the regexp that fixed it.

system · February 7, 2020, 9:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.