How do I change this Logstash filter to be case insensitive?
filter {
if "foo" in [message] {
mutate { add_field => { "Alert_level" => "5" }}
}
}
I could not get it to work as shown in https://github.com/elastic/logstash/pull/3636
Asked
Active
Viewed 6,166 times
7
Fred Sobotka
- 5,252
- 22
- 32
Jam
- 109
- 3
- 10
-
3Isn't this working for you ` filter { if [message] ~ /(?i)foo/ { mutate { add_field => { "Alert_level" => "5" } } } }` – tuk Jan 22 '17 at 20:33
1 Answers
12
The pull request you mention was never merged, so it's not available (and apparently there is no plan to do so).
You can use another syntax (mentioned in one of the comments to your question):
filter {
if "foo" =~ /(?i)message/ {
...
}
}
The syntax will match for message or MESSAGE or even MeSSaGe.
Fred Sobotka
- 5,252
- 22
- 32
magnetik
- 4,351
- 41
- 58
-
2Erm, there are 2 erors in your example. First, you're testing the literal string `foo` against the (constant) regex `message` which never matches, regardless of case sensitivity. And second, you have swapped the places of `"foo"` and `message`. The poster's orignal expression `"foo" in [message]` basically means "`"foo"` is a substring of `message`" (or `message.contains("foo")` in Java terms). When you do it with a regex, the order is "`variable` matches `regex`", so it should be `[message] =~ /(?i)foo/`. – Mike Jul 02 '20 at 01:50