hi,
i'm searching to compare the value of a variable in a field (from "message" or from a specific field).
I'm trying this, but without result :
...
filter {
mutate {
add_field => { "mails" => "joe, mary, pierre" }
add_field => { "user" => "mary" }
}
if [mails] =~ "%{user}" {..................}
.....
Is my conditional line is correct ?
In my final configuration, the field "user" is issued from logs and json plugin.
Thanks.
I would not expect a sprintf reference to work in that context. You can do it in ruby.
ruby {
code => '
if event.get("mails").include? event.get("user")
event.set("FoundIt", true)
end
'
}
will work. However, that will also work searching for "pie". If you want to test for the complete word then try
mutate { gsub => [ "mails", " ", "" ] }
mutate { split => { "mails" => "," } }
ruby {
code => '
if event.get("mails").include? event.get("user")
event.set("FoundIt", true)
end
'
}Thanks very munch Badger !
It's working very well.
In complement, as i'm a quiet curious, could you give me a good link to read documentation about "code" of ruby. I would to discover the other options of syntax.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.