Using conditionals in your filter{} blocks

Wrapping your filter logic in conditional expressions can be very important.

If your configuration is split up into many files, logstash will combine and run all of the stanzas.  Also, using conditionals to limit the amount of processing performed will make this step faster.

To tell if an event contains a given tag:

if "value" in [tags] {
}

For string fields:

if [FIELD] =~ /.+/ {
     # exists
}
 
if [FIELD] !~ /.+/ {
     # doesn't exist
}

For numeric fields:

if [FIELD] {
     # exists
}

2 responses to “Using conditionals in your filter{} blocks

Leave a Reply

Your email address will not be published. Required fields are marked *