Using conditionals in your filter{} blocks

Posted on March 30, 2015 | 2 Comments

Wrapping your filter logic in conditional expressions can be very important.

If your configuration is split up into many files, logstash will combine and run all of the stanzas.  Also, using conditionals to limit the amount of processing performed will make this step faster.

To tell if an event contains a given tag:

if "value" in [tags] {
}

For string fields:

if [FIELD] =~ /.+/ {
     # exists
}
 
if [FIELD] !~ /.+/ {
     # doesn't exist
}

For numeric fields:

if [FIELD] {
     # exists
}
This entry was posted in Logstash Tips. Bookmark the permalink.

2 responses to “Using conditionals in your filter{} blocks

  1. Rajesh Swarnkar | January 6, 2016 at 10:24 am | Reply

    How do you combine following if conditions?
    e.g.
    if “INFO” in [message] { match 1 } OR
    if “DEBUG” in [message] { match 1 again }

    I tried
    if “INFO” in [message] or “DEBUG” in [message]
    Did not worked.

Leave a Reply

Your email address will not be published. Required fields are marked *