Using a case insensitive Logstash filter

About

Asked 20/1, 2017 at 17:12 Answered 26/6, 2017 at 9:12

logstash logstash-grok logstash-configuration

How do I change this Logstash filter to be case insensitive?

filter {
  if "foo" in [message] {
    mutate { add_field => { "Alert_level" => "5" }}
  }
}

I could not get it to work as shown in https://github.com/elastic/logstash/pull/3636

Dillon answered 20/1, 2017 at 17:12 Comment(1)

Isn't this working for you ` filter { if [message] ~ /(?i)foo/ { mutate { add_field => { "Alert_level" => "5" } } } }` – Bastinado 22/1, 2017 at 20:33

The pull request you mention was never merged, so it's not available (and apparently there is no plan to do so).

You can use another syntax (mentioned in one of the comments to your question):

filter {
  if "foo" =~ /(?i)message/ {
    ...
  }
}

The syntax will match for message or MESSAGE or even MeSSaGe.

Avens answered 26/6, 2017 at 9:12 Comment(1)

Erm, there are 2 erors in your example. First, you're testing the literal string foo against the (constant) regex message which never matches, regardless of case sensitivity. And second, you have swapped the places of "foo" and message. The poster's orignal expression "foo" in [message] basically means ""foo" is a substring of message" (or message.contains("foo") in Java terms). When you do it with a regex, the order is "variable matches regex", so it should be [message] =~ /(?i)foo/. – Baronet 2/7, 2020 at 1:50

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags