How do I check for the presence of fields in logstash events?

StackOverflow https://stackoverflow.com/questions/23651309

  •  22-07-2023
  •  | 
  •  

Question

Given the following logstash configuration:

input { stdin {}
}

filter {
    grok {
        match => ["message", "foo (?<bar>.*)",
                  "message", "quux (?<stuff>.*)"
        ]
    }

    if "bar" in [tags] {
        mutate {
            add_field => { "had_bar" => "yup"}
        }
    }
}

output { stdout { codec => rubydebug } }

I would expect a message starting with "foo " to get the field had_bar added to my event. However, when I try it:

* bin/logstash -f simple.conf
Picked up JAVA_TOOL_OPTIONS: -Xmx1G
foo bar quux
{
       "message" => "foo bar quux",
      "@version" => "1",
    "@timestamp" => "2014-05-14T09:46:15.498Z",
          "host" => "my-dev-machine.com",
           "bar" => "bar quux"
}

What have I done wrong? I'm aware that grok also provides an add_field option, but I only want to add the field when I encounter the first pattern.

Was it helpful?

Solution

You're checking for fields in tags, but tags is just a normal field on the event. What you want is:

if [bar] {
    # ...
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top