Logstash config, "if string contains..."

logstash logstash-grok logstash-configuration
A_Elric picture A_Elric · Aug 18, 2016 · Viewed 23.3k times · Source

So, let's assume that I have a portion of a log line that looks something like this:

GET /restAPI/callMethod1/8675309

The GET matches a http method, and get's extracted, the remainder matches a URI, and also gets extracted. Now in the logstash config let's assume that I wanted to do something like this...

if [METHOD] == "GET" {
    if [URI] (CONTAINS <--Is there a way to do this?) =="restAPI/callMethod1"{
        ....

Is there some way to do this? If so how would I go about doing that?

Thanks

Answer

Val picture Val · Aug 19, 2016

You can achieve it simply by using the =~ (regexp) operator like this (see conditionals):

if [METHOD] == "GET" {
  if [URI] =~ /restAPI\/callMethod1/ {
     ...

Related questions

Converting date format to YYYY-MM-DD from YYYY/MM/DD HH:MM:SS format in Logstash for nginx error logs

I am having nginx error logs of the below form:- 2015/09/30 22:19:38 [error] 32317#0: *23 [lua] responses.lua:61: handler(): Cassandra error: Error during UNIQUE check: Cassandra error: connection refused, client: 127.0.0.1, server: , request: "POST /consumers/ HTTP/1.1", host: "localhost:8001" As mentioned here I am able …

Read More
Logstash - remove deep field from json file

I have JSON file that I'm sending to ES through logstash. I would like to remove 1 field ( It's deep field ) in the JSON - ONLY if the value is NULL. Part of the JSON is: "input": { "startDate": "2015-05-27", "numberOfGuests": 1, "…

Read More
How to handle non-matching Logstash grok filters

I am wondering what the best approach to take with my Logstash Grok filters. I have some filters that are for specific log entries, and won't apply to all entries. The ones that don't apply always generate _grokparsefailure tags. For …

Read More