Single forward slash in field not accessable in conditional filter


(Nick Erber) #1

Hi,

I'm sending oracle auditing events with filebeat 5.0.0. The events itself are written to an xml-file by the oracle database.
Sometimes, one field (DB_User) contains a single /.
It'd like to filter this slash in a logstash config. Obviously, it is not possible or I don't know the correct way.

Here is a sample part of the config:

    if ([AuditRecord][DB_User]) {
        mutate { add_tag => ["something"]}
        if ([AuditRecord][DB_User] == "/") {
            mutate { add_tag => [ "condition" ] }
        }
        if [AuditRecord][DB_User] =~ /\// {
            mutate { add_tag => [ "regexp" ] }
        }
        if [AuditRecord][DB_User] =~ "\/" {
            mutate { add_tag => [ "regexp_2"] }
        }
        if [AuditRecord][DB_User] =~ /^\// {
            mutate { add_tag => [ "regexp_3"] }
        }

This config only adds the tag "something". None of the other tags is added.

This is the part of the JSON in Kibana:

 "AuditRecord": {
     "DB_User": [
         "/"
       ],

And when trying to filter with Kibana by pressing the +, it shows following (although there are definitely hits)

Thanks for your help!


(Magnus Bäck) #2

[AuditRecord][DB_User] is an array and not a string. This should work:

if [AuditRecord][DB_User] == ["/"] { ... }

(Nick Erber) #3

Thanks! this solved the issue.

I didn't expect the XML-Filter-Plugin to create an Array for every value.


(Magnus Bäck) #4

It does, but that behavior can be disabled with an option.


(Nick Erber) #5

Yes, I already did it.
Thank you!


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.