Using a conditional in logstash
Question
Has anyone ever added a conditional to an input? I'm using various versions of the beats plugin. Versions less than 7.11 don't have @metadata I'd like to use two different indicies conditionally. For example,
15 beats {
16 port => "5000"
17 codec => "plain"
18 ssl => true
19 ssl_certificate_authorities => ["/etc/pki/logstash/logstashCA.pem"]
20 ssl_certificate => "/etc/pki/logstash/logstashCA.pem"
21 ssl_key => "/etc/pki/logstash/logstashCA.p8"
22 ssl_verify_mode => "force_peer"
23 if [version] not in [beat] {
24 add_field => { "target_index" => "%{[@metadata][beat]}-%{[beat]}-7-%{+YYYY.MM.dd}" }
25 }
26 add_field => { "target_index" => "%{[@metadata][beat]}-%{[beat][version]}-%{+YYYY.MM.dd}" }
27 }
1 answers
solution1
1 2021-02-19 21:02:52
No, you cannot have a conditional based on fields of the event in an input because at the time the input is built no events exit. However you can do it in the filter section
if [beat][version] {
add_field => { "target_index" => "%{[@metadata][beat]}-%{[beat][version]}-%{+YYYY.MM.dd}" }
} else {
add_field => { "target_index" => "%{[@metadata][beat]}-%{[beat]}-7-%{+YYY
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Logstash conditional output using environment variable not working
Having issues creating conditional outputs with logstash using metadata fields
conditional matching with grok for logstash
Logstash grok chain conditional filters
How to create a conditional field in logstash?
Checking for multiple strings in a conditional with logstash
Logstash conditional to check if tag exists?
Logstash output conditional on elasticsearch connection
logstash conditional statement in input block
Logstash conditional truncate on message length
Related Tags