Minh Vu
Software Engineer
Hi 👋, I'm a software engineer specializing in backend systems, distributed systems, and scalable architecture. My blog shares practical tutorials based on 3+ years of experience. LeetCode 1756 (Top 10%). Actively seeking SDE roles — let's get in touch!
Leave a Comment
Receive Latest Updates 📬
Get every new post, special offers, and more via email. No fee required.
If you are looking for a way to control the flow of your logs in Logstash, you are in the right place.
In this tutorial, I will show you how to use conditionals in Logstash with if/else statements to control the flow of your logs.
This is usually helpful when you want to send logs to different outputs or apply different filters to different logs.
Let's get started.
In Logstash, you can use conditionals with the if/else statements to control the flow of your logs.
The syntax of the if/else statement in Logstash is very similar to the if/else statement in most programming languages.
if some_condition { # do something } else if some_other_condition { # do something else } else { # do something else }
The condition in the if/else statement can be comparisons, boolean operators, and so on.
Let's discover each type of condition in detail.
You can use comparison operators in the if/else statement to compare two values.
Here is a list of comparison operators that you can use in the if/else statement:
==: equal to!=: not equal to>: greater than<: less than>=: greater than or equal to<=: less than or equal to=~: matches a regular expression!~: does not match a regular expressionin: is a member of a list/stringnot in: is not a member of a list/stringFor example, if you want to check if a field is equal to a value or not, you can use the == operator.
output { if [type] == "nginx" { # type is nginx elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
Another example is to check if a field matches a regular expression or not, you can use the =~ operator.
output { if [status] =~ /^5\d\d$/ { # status is 5xx elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
To check if a field is in a list/string or not, you can use the in operator.
output { if [status] in ["200", "201", "202"] { # status is 200, 201, or 202 elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
You can use boolean operators in the if/else statement to combine multiple conditions.
There are four boolean operators that you can use in the if/else statement:
and: both conditions must be trueor: at least one condition must be truenand: both conditions must be falsexor: only one condition must be trueFor example, if you want to check if both conditions are true, you can use the and operator.
output { if [type] == "nginx" and [status] == "200" { # type is nginx and status is 200 elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
If you want to check if only one condition is true, you can use the xor operator.
output { if [type] == "nginx" xor [status] == "200" { # type is nginx or status is 200 elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
The negation operator is !.
You can use the negation operator in the if/else statement to negate a condition.
For example, if you want to check if a field is not equal to a value, you can use the != operator.
output { if [data_stream][type] != "nginx" { # data stream type is not nginx elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
You can also check if a field exists or not using the negation operator.
output { if ![type] { # type does not exist elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else if [type] { # type exists stdout { codec => rubydebug } } }
In this tutorial, you have learned how to use conditionals in Logstash with if/else statements to control the flow of your logs.
Hope it helps you with your work with the Elastic Stack.
Next.js SEO: The Complete Checklist to Boost Your Site Ranking
Next.js JSON-LD: How to Add Structured Data to Your Website
Logstash: How to Remove Field using Mutate Filter
Logstash Conditionals: Using if/else to Control Log Flow
Logstash: Add Field to Event with Mutate Filter
Comments