29

Is there any way in logstash to use a conditional to check if a specific tag exists?

For example,

grok {
match => [
"message", "Some expression to match|%{GREEDYDATA:NOMATCHES}"
]

if NOMATCHES exists Do something.

How do I verify if NOMATCHES tag exists or not?

Thanks.

CodeRunner
  • 391
  • 2
  • 4
  • 9

2 Answers2

64

Just so we're clear: the config snippet you provided is setting a field, not a tag.

Logstash events can be thought of as a dictionary of fields. A field named tags is referenced by many plugins via add_tag and remove_tag operations.

You can check if a tag is set:

if "foo" in [tags] {
    ...
}

But you seem to want to check if a field contains anything:

if [NOMATCHES] =~ /.+/ {
    ...
}

The above will check that NOMATCHES exists and isn't empty.

Reference: configuration file overview.

rutter
  • 11,242
  • 1
  • 30
  • 46
6

The following test for existence also works [tested in Logstash 1.4.2], although it may not validate non-empty:

if [NOMATCHES] {
    ...
}
dgassaway
  • 3,513
  • 2
  • 13
  • 8
  • 1
    This checks if the field named NOMATCHES exists. It doesn't look at the value. – bradvido Oct 09 '14 at 20:19
  • 1
    If you use this, be careful if the value of 'NOMATCHES" is boolean. http://stackoverflow.com/questions/26287082/logstash-config-check-if-boolean-field-exists – spuder Apr 20 '15 at 18:21