If you are looking for a way to control the flow of your logs in Logstash, you are in the right place.
In this tutorial, I will show you how to use conditionals in Logstash with if/else statements to control the flow of your logs.
This is usually helpful when you want to send logs to different outputs or apply different filters to different logs.
Let's get started.
Contents
Logstash Conditionals
In Logstash, you can use conditionals with the if/else statements to control the flow of your logs.
The syntax of the if/else statement in Logstash is very similar to the if/else statement in most programming languages.
if some_condition { # do something } else if some_other_condition { # do something else } else { # do something else }
The condition in the if/else statement can be comparisons, boolean operators, and so on.
Let's discover each type of condition in detail.
Comparison Operators
You can use comparison operators in the if/else statement to compare two values.
Here is a list of comparison operators that you can use in the if/else statement:
==: equal to!=: not equal to>: greater than<: less than>=: greater than or equal to<=: less than or equal to=~: matches a regular expression!~: does not match a regular expressionin: is a member of a list/stringnot in: is not a member of a list/string
For example, if you want to check if a field is equal to a value or not, you can use the == operator.
output { if [type] == "nginx" { # type is nginx elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
Another example is to check if a field matches a regular expression or not, you can use the =~ operator.
output { if [status] =~ /^5\d\d$/ { # status is 5xx elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
To check if a field is in a list/string or not, you can use the in operator.
output { if [status] in ["200", "201", "202"] { # status is 200, 201, or 202 elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
Boolean Operators
You can use boolean operators in the if/else statement to combine multiple conditions.
There are four boolean operators that you can use in the if/else statement:
and: both conditions must be trueor: at least one condition must be truenand: both conditions must be falsexor: only one condition must be true
For example, if you want to check if both conditions are true, you can use the and operator.
output { if [type] == "nginx" and [status] == "200" { # type is nginx and status is 200 elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
If you want to check if only one condition is true, you can use the xor operator.
output { if [type] == "nginx" xor [status] == "200" { # type is nginx or status is 200 elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
Negation Operator
The negation operator is !.
You can use the negation operator in the if/else statement to negate a condition.
For example, if you want to check if a field is not equal to a value, you can use the != operator.
output { if [data_stream][type] != "nginx" { # data stream type is not nginx elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else { stdout { codec => rubydebug } } }
You can also check if a field exists or not using the negation operator.
output { if ![type] { # type does not exist elasticsearch { hosts => ["localhost:9200"] index => "nginx-%{+YYYY.MM.dd}" } } else if [type] { # type exists stdout { codec => rubydebug } } }
Conclusion
In this tutorial, you have learned how to use conditionals in Logstash with if/else statements to control the flow of your logs.
Hope it helps you with your work with the Elastic Stack.
Comments
Be the first to comment!