27
votes

Is there any way in logstash to use a conditional to check if a specific tag exists?

For example,

grok {
match => [
"message", "Some expression to match|%{GREEDYDATA:NOMATCHES}"
]

if NOMATCHES exists Do something.

How do I verify if NOMATCHES tag exists or not?

Thanks.

2

2 Answers

60
votes

Just so we're clear: the config snippet you provided is setting a field, not a tag.

Logstash events can be thought of as a dictionary of fields. A field named tags is referenced by many plugins via add_tag and remove_tag operations.

You can check if a tag is set:

if "foo" in [tags] {
    ...
}

But you seem to want to check if a field contains anything:

if [NOMATCHES] =~ /.+/ {
    ...
}

The above will check that NOMATCHES exists and isn't empty.

Reference: configuration file overview.

6
votes

The following test for existence also works [tested in Logstash 1.4.2], although it may not validate non-empty:

if [NOMATCHES] {
    ...
}