带有运算符的 LOGSTASH 中的多个 IF ELSE 条件
MULTIPLE IF ELSE CONDITION IN LOGSTASH WITH AND OPERATOR
如果我在 logstash 中使用这个逻辑它就可以工作
if "a" in [msg] or "b" in [msg]
但我需要使用的是调理。如果我用 and 替换 or 那么它将失败。有什么想法吗?
这会失败
if "a" in [msg] and "b" in [msg]
我想做的是只要选择的字符串 a 和 b 存在并使用定义的过滤器,非常感谢任何帮助
这对我有用。
filter {
grok {
match => [ "message", "%{GREEDYDATA:my_data}" ]
tag_on_failure => [ "_failure", "_grokparsefailure" ]
}
if "sandeep" in [my_data] and "kanabar" in [my_data]{
mutate {
add_field => { "status" => "Both name and surname present"}
}
}
else if "sandeep" in [my_data] or "kanabar" in [my_data]{
mutate {
add_field => { "status" => "either name/surname present"}
}
}
}
测试输出运行:
Input --> name:"sandeep test"
Output:
{
"@timestamp" => 2019-10-31T11:27:33.941Z,
"my_data" => "name:\"sandeep test\"",
"@version" => "1",
"host" => "M22959216G3QD",
"message" => "name:\"sandeep test\"",
"status" => "either name/surname present"
}
Input --> :"test kanabar"
Output:
{
"@timestamp" => 2019-10-31T11:27:43.389Z,
"my_data" => "name:\"test kanabar\"",
"@version" => "1",
"host" => "my_host",
"message" => "name:\"test kanabar\"",
"status" => "either name/surname present"
}
Input --> :"sandeep kanabar"
Output:
{
"@timestamp" => 2019-10-31T11:27:50.516Z,
"my_data" => "name:\"sandeep kanabar\"",
"@version" => "1",
"host" => "M22959216G3QD",
"message" => "name:\"sandeep kanabar\"",
"status" => "Both name and surname present"
}
如果我在 logstash 中使用这个逻辑它就可以工作
if "a" in [msg] or "b" in [msg]
但我需要使用的是调理。如果我用 and 替换 or 那么它将失败。有什么想法吗?
这会失败
if "a" in [msg] and "b" in [msg]
我想做的是只要选择的字符串 a 和 b 存在并使用定义的过滤器,非常感谢任何帮助
这对我有用。
filter {
grok {
match => [ "message", "%{GREEDYDATA:my_data}" ]
tag_on_failure => [ "_failure", "_grokparsefailure" ]
}
if "sandeep" in [my_data] and "kanabar" in [my_data]{
mutate {
add_field => { "status" => "Both name and surname present"}
}
}
else if "sandeep" in [my_data] or "kanabar" in [my_data]{
mutate {
add_field => { "status" => "either name/surname present"}
}
}
}
测试输出运行:
Input --> name:"sandeep test"
Output:
{
"@timestamp" => 2019-10-31T11:27:33.941Z,
"my_data" => "name:\"sandeep test\"",
"@version" => "1",
"host" => "M22959216G3QD",
"message" => "name:\"sandeep test\"",
"status" => "either name/surname present"
}
Input --> :"test kanabar"
Output:
{
"@timestamp" => 2019-10-31T11:27:43.389Z,
"my_data" => "name:\"test kanabar\"",
"@version" => "1",
"host" => "my_host",
"message" => "name:\"test kanabar\"",
"status" => "either name/surname present"
}
Input --> :"sandeep kanabar"
Output:
{
"@timestamp" => 2019-10-31T11:27:50.516Z,
"my_data" => "name:\"sandeep kanabar\"",
"@version" => "1",
"host" => "M22959216G3QD",
"message" => "name:\"sandeep kanabar\"",
"status" => "Both name and surname present"
}