Updated March 16, 2023
Introduction to Logstash conditional
Logstash conditional is used when we have certain scenarios where we want to perform tasks such as filtering the event or outputting the same only if certain specified conditions are satisfied. It is a feature in Logstash which allows specifying conditions and follows proper syntax while doing so.
In this article, we will be learning deeply about the topic in Logstash, which is Logstash conditional. Along with it, we will study and get to know more insights about it by discussing some of the subtopics of conditional, which include what Logstash conditional is, how to work on conditional filter in Logstash, using Logstash conditional, Logstash conditional pipeline configuration, and conclusion about the same.
What is Logstash conditional?
Many scenarios occur inside the application where we want some tasks to be carried out only if some of the required conditions are met or satisfied. For this, in logsatsh, we have the superior functionality of using the conditional statements of if, else, and else-if, also referred to as Logstash Conditionals. According to our application requirement, we can keep extending the ladder to others if we want.
In other words, similar to that of other programming languages, the conditionals in Logstash also follow the same pattern, rules, and implementation. We can also go for nesting multiple or single conditional statements inside one or more conditional statements. As discussed priorly, conditional statements include the usage of three main statements: if, else, and else if.
The syntax of the Logstash conditionals is as specified below –
if conditional_expression {
// statements to be performed if conditional_expression goes true
} else if conditional_expression_2 {
// Statements to be executed on evaluation of conditional_expression_2 to true and conditiona_expression to false.
} else {
// Statements to be executed if not even the conditional_expression of conditional_expression_2 evaluated to true.
}
To understand the above syntax, let us first understand the conditional_expressions mentioned above. The conditional expression can be any test involving comparison, the logical statement that evaluates to a Boolean value, or anything like that.
How to work on conditional filter in Logstash?
To create the conditional expression, we can go for using the operators of comparison, which are specified below –
- To carry out the comparison for the test of equality we can use operators such as == (exactly equal to), != (not equal to), > (greater than), < (less than), <= (less than or equal to) or >= which stands for (greater than or equal to).
- For regular expressions, we can use =~ or !~, which helps test the pattern that will be present on the right side of the expression for the value of the string specified on the left side.
- We can use the expressions involving the implementation of inclusion logic, which contains operators like in or not in.
- Other than the above ones, to create the conditional expressions, we can also use boolean operators, out of which the supported ones include nand, xor, and, or.
- We can use unary operators, including! Which stands for negating the specified value or expression, whichever is specified.
We need to note one thing here: the specified conditional expressions may be long and complex sometimes as they might contain the use of other expressions as well, like in the case of negate! So what we do is we negate that calculates the opposite of that value is derived from the specified expression. Also, one more functionality and feature that sometimes makes the expressions more complex is a parenthesis to group multiple sub-expressions.
Using Logstash conditional
We will look at examples in this section to understand the use of Logstash conditionals.
Let us consider one example; in the below code, we will use a mutate filter, allowing us to write conditional code. We will remove the existing field in our event named educba_field only if the article_name field contains the value of “Logstash” in it –
filter {
if [article] == "Logstash" {
mutate { remove_field => "educba_field" }
}
}
This gives the following output on running as the field named article contained Logstash as its value –
Let us consider one example where we will be specifying multiple expressions inside the same conditional statement –
output {
if [level_of_log] == " erroneous _report" and [deployment_to] == "production_environment" {
handleTransaction {
...
}
}
}
Which looks as shown below in the file –
What we do in the above code snippet is in case any occurrence of an erroneous report is found and the deployment is made to the production environment. All the erroneous reports are forwarded to handle transactions.
We can use in and not in operators to check for the existence of a specific element, list, key, or string value in the field. The meaning of in semantically changes depending on the target field type you are checking. For example, suppose you have a string field and use it. In that case, it is considered that you are checking whether the specified value is a substring of the target string value. At the same time, if the target field type contains the collection of values, then you are checking whether the specified element is present in the collection or not.
Logstash conditional pipeline configuration
We can use the conditional statements in the configuration file in the sections of filter and input only. For example, if we use conditionals in Logstash based on educba_field, we forward the event to the proper name of the index inside the specified elastic search. For this, we will be using the below code –
output {
if [educba_field] ~= \.* {
elasticsearch {
hosts => ["172.12.20.16:5555"]
index => "%{[educba_field][0]}"
}
} else {
elasticsearch {
hosts => ["172.12.20.16:5555"]
index => "%{[sample_field][specified_name]}"
}
}
}
This gives the following output, as seen in the file shown below –
Conclusion
In this way, we can use Logstash conditionals in the Logstash to implement the behavior such that certain steps can only be executed if the specified conditions are true.
Recommended Articles
This is a guide to Logstash Conditional. Here we discuss the topic in Logstash, which is Logstash conditional, and along with it, we will study and get to know more insights. You may also look at the following articles to learn more –