I want to add if statement and check condition in grok block if grok pattern is matched and add module in given json.
Bellow Filter shows error please help.
grok
{
match => { logs => "killed by TERM signal"}
if ([boardname] =~ /^.*tester.*$/)
{
add_field => {"module" => "null"}
}
}You can not use conditionals within ANY filter definition. You can however place the conditional outside the grok filter block and use a mutate filter to add the field.
thanks @Christian_Dahlqvist
Is this Correct way to do it?
grok
{
match => { logs => "killed by TERM signal"}
add_tag => ["regexMatched"]
}
if "regexMatched" in [tags]
{
if ([boardname] =~ /^.*tester.*$/)
{
add_field => {"module" => "null"}
}
}Almost. When a grok filter fails to match any expression, it by default adds a _grokparsefailure tag, so you can trigger on this instead of adding a separate field if you want. You also need to wrap the add_field statement in a filter, e.g. mutate. Something like this should work:
grok {
match => { "logs" => "killed by TERM signal"}
}
if "_grokparsefailure" not in [tags] {
if ([boardname] =~ /^.*tester.*$/) {
mutate {
add_field => {"module" => "null"}
}
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.