Using if else in logstash filter

yuswanul · October 18, 2022, 7:56am

Hi everyone,

i'd like to ask, is it possible to use OR operator in if else statement in logstash filter?

so, i want to delete the event that has value "VoIP-Null0", "Null0", and "Loopback0" in data.ifDescr field. i already apply configuration like this to delete them

filter{
csv {
separator => ","
skip_header => true
columns => ["timestamp","host","data.ifDescr","data.ifInOctets","data.ifOutOctets"]
}

if [data][ifDescr] == "VoIP-Null0" or [data][ifDescr] == "Null0" or [data][ifDescr] == "Loopback0"{
drop { }
}
}

but there's no change. the event are still exist. even in the logstash log, there is no error
can you show me how to solve this? thank you

Rios · October 18, 2022, 8:12am

Yes it is supported AND OR... Check docs

Check in LS ruby debugger real the field name "data.ifInOctets" or [data][ifDescr].
I haven't tried, but should be different names in CSV. Also is useful,not mandatory, to have () in log. operations
...

columns => ["timestamp","host","[data][ifDescr]","[data][ifInOctets]","[data][ifOutOctets]"]
}

if ( ([data][ifDescr] == "VoIP-Null0") or ([data][ifDescr] == "Null0") or ([data][ifDescr] == "Loopback0") ) {
drop { }
}

yuswanul · October 18, 2022, 11:37am

Thank you for the response. i'll try your suggestion later. because I tried my luck before and it worked. hahaha. i change it from

if [data][ifDescr] == "VoIP-Null0" or [data][ifDescr] == "Null0" or [data][ifDescr] == "Loopback0"{
drop { }
}

into

if [data.ifDescr] == "VoIP-Null0" or [data.ifDescr] == "Null0" or [data.ifDescr] == "Loopback0"{
drop { }
}

I didn't think it would work. Once again, thank you

Rios · October 18, 2022, 3:14pm

data.ifDescr - single field name
[data][ifDescr] - nested field

leandrojmp · October 18, 2022, 3:22pm

You should avoid using dots in fields name as this can lead to confusion because they work in different ways in Logstash and Elasticsearch.

In Logstash, using data.ifDescr means a field with a literal dot in its name, you have this:

{ "data.ifDescr": "value" }

In elasticsearch in scripts or ingest pipelines, using data.ifDescr would mean a json object named data with a nested field named ifDescr.

Something like this:

{ "data": { "ifDescr": "value" } }

In your case, if you named your field as data.ifDescr, then you should use [data.ifDescr] in your conditional.

But the recommendation is to change your csv filter and condtional to the ones that @Rios shared.

yuswanul · October 19, 2022, 1:52am

Thanks for the explanation @leandrojmp . i also want to ask something about if else. is it good to use conditional statement this many?

or is it better if i make it like this?

if "Crypto" in [data][ifDescr] or "Bluetooth" in [data][ifDescr] or "unrouted" in [data][ifDescr]{
drop { }
}
else if "VoIP" in [data][ifDescr] or "Null" in [data][ifDescr] or "Loopback" in [data][ifDescr]{
drop { }
}

I'm afraid if I use conditional statements like above picture, it will affect logstash performance. Thank you

leandrojmp · October 19, 2022, 2:38am

It makes no difference and will have zero impact in the performance.

But if the value of the field [data][ifDescr] is a single keyword you can improve your conditional and make it more readable.

if [data][ifDescr] in ["Crypto", "Bluetooth", "unrouted", "VoIP", "Null", "Loopback"] {
    drop {}
}

yuswanul · October 19, 2022, 3:36am

Thanks a lot for the solution @leandrojmp and Thank you for the help @Rios

yuswanul · October 19, 2022, 5:13am

actually that is some keyword of the value. because the value of the field is unrouted Vlan 56 (for example) if the value is not a single keyword, how do i improve my conditional?

system · November 16, 2022, 5:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.