Where the conditional goes?

Incauto · November 21, 2019, 6:14pm

where in the file a conditional that check if a field contains certain string, and if contains it, drop the log, goes?

it goes after the grok? it contains the grok? it goes in the output?

The following code doesnt work...where the conditional goes?

filter {

    grok {
            match => { "message" => "%{DATA:server}\s%{NUMBER:swap_space_use}" }
    }
    if [server] == "error" {
            drop {}
    }
}
otuput{
...
}

Badger · November 21, 2019, 6:19pm

That looks right. In what way does it not work?

Incauto · November 21, 2019, 6:27pm

Hi again Badger...when ever a log doesnt match the grok I send the error to a file, and Im still getting log lines with the "error" string in the server field in that file, with the drop the log should not appears in my errors file, or am i wrong?

output{

    if "_grokparsefailure" in [tags] {

            file {
                    path => "/tmp/memoria_sw-warning.txt"
            }
    }

}

Badger · November 21, 2019, 6:30pm

If that grok fails then the server field will not exist.

Incauto · November 21, 2019, 6:43pm

if the server field didnt exist, it wouldnt be shown in the errors file that is created when a grok parse failure happens, and its there in the message.

Im confused.

by the way there is other fields that I excluded from the example to simplify it.

part of my error file

Badger · November 21, 2019, 6:50pm

That shows that the message field contains the word error. It does not show that the event contains a field called server.

Incauto · November 21, 2019, 7:34pm

Mind blown....So the field "server" is not created because the parse error?

The field that is provoking the parse error expect a number, but is getting a number with a colon in beetween ex: 23:2233 (I check that with the original log)

I have that field like this: (%{NUMBER:name})? so whenever the value doesn´t match with the type, that field doesnt exist anymore, then the grok parse failure should go away....but still is giving me the parse error.

Badger · November 21, 2019, 7:42pm

If grok is unable to parse any part of the pattern then it creates no fields and adds a _grokparsefailure tag.

Incauto · November 21, 2019, 8:00pm

Hey man you had been very pacient, and I dont want to take your time anymore, so my last doubt, in another conf I have this

grok {
            match => {"message" => "%{TIME:hora}\s%{DATA:fecha}\s%{DATA:status}\s%{DATA:server}\s(%{NUMBER:segundos})?"}
    }

    if !([segundos]) {
             mutate {
                        add_field => {"segundos" => "0"}
                }
    }

Whenever a non numeric value is in the "segundos" field, only that field is not included, but the rest of fields are created. (the oppsite of what you say) thats why later I check and add the segundos field if it is not present, and it works....

Badger · November 21, 2019, 8:07pm

In that pattern you have made the last field optional using ()?, so the pattern does match.

system · December 19, 2019, 8:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.