logstash – field conditional expression

Check if the field myToken exists

filter { 
if [myToken] {  
##my program goes here 
}
}

Check if the field [myCategory][myToken] exists

filter {  
if [myCategory] { 
   if [myCategory][myToken] {
      ##my program goes here
    }
  }
}

Check if the field myToken NOT exists

filter { 
if ![myToken] {
  ##my program goes here
 }
}

To check if the field myToken is empty

if [myToken] !~ /.+/ {
  ## my code goes here
  ##drop { } 
}

 

Reference From Elastic:

To check if field foo exists:
1) For numeric type fields use:

 if ([foo]) {    ... }

2) For types other than numeric like boolean, string use:

if ("" in [foo]) {    ...}
filter {  
if [foo] in [foobar] {
    mutate {
 add_tag => "field in field"
 }  }

if [foo] in "foo" {
    mutate { add_tag => "field in string" }
  }  

if "hello" in [greeting] {
    mutate { add_tag => "string in field" }  }

if [foo] in ["hello", "world", "foo"] {
    mutate { add_tag => "field in list" }  }

if [missing] in [alsomissing] {
    mutate { add_tag => "shouldnotexist" }  }

if !("foo" in ["hello", "world"]) {
    mutate { add_tag => "shouldexist" } 
 }}

 

Advertisements