Hello,
First of all I discover ELK a bit late but I am very enthusiastic about these products.
I am starting to play with it but I face a weird issue : impossible to do a simple if / else in my logstash filter block.
I try to split grok filters between different log streams coming from docker containers. All my log events contains the docker.image field, I plan to use it for that.
filter { if [docker.image] == "nginx:1.9" { mutate { add_field => { "matched" => "nginx" } } } else { mutate { add_field => { "matched" => "no" } } } }
No matter how I do this if, all my logs have the field matched set to no. I tried with if [docker.image], if ["docker.image"], if [docker\.image].
I bet this is something simple but I can't figure it out. Any hint ?
Best regards,
Karim