Single forward slash in field not accessable in conditional filter

nick.e · November 7, 2016, 9:18am

Hi,

I'm sending oracle auditing events with filebeat 5.0.0. The events itself are written to an xml-file by the oracle database.
Sometimes, one field (DB_User) contains a single /.
It'd like to filter this slash in a logstash config. Obviously, it is not possible or I don't know the correct way.

Here is a sample part of the config:

    if ([AuditRecord][DB_User]) {
        mutate { add_tag => ["something"]}
        if ([AuditRecord][DB_User] == "/") {
            mutate { add_tag => [ "condition" ] }
        }
        if [AuditRecord][DB_User] =~ /\// {
            mutate { add_tag => [ "regexp" ] }
        }
        if [AuditRecord][DB_User] =~ "\/" {
            mutate { add_tag => [ "regexp_2"] }
        }
        if [AuditRecord][DB_User] =~ /^\// {
            mutate { add_tag => [ "regexp_3"] }
        }

This config only adds the tag "something". None of the other tags is added.

This is the part of the JSON in Kibana:

 "AuditRecord": {
     "DB_User": [
         "/"
       ],

And when trying to filter with Kibana by pressing the +, it shows following (although there are definitely hits)

Thanks for your help!

magnusbaeck · November 7, 2016, 12:19pm

[AuditRecord][DB_User] is an array and not a string. This should work:

if [AuditRecord][DB_User] == ["/"] { ... }

nick.e · November 7, 2016, 12:45pm

Thanks! this solved the issue.

I didn't expect the XML-Filter-Plugin to create an Array for every value.

magnusbaeck · November 7, 2016, 12:47pm

It does, but that behavior can be disabled with an option.

nick.e · November 7, 2016, 12:58pm

Yes, I already did it.
Thank you!

system · December 5, 2016, 12:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.