问题
this is mainly because I could not find an answer to this and I want to know how it works/why it works.
Here are my filter examples:
(1):
if [message] in ["a","b"] {
mutate {
add_field => { "tet" => "world2" }
}
}
This works perfectly fine for messages that are "a" or "b". A new field is added. Perfect.
(2)
if [message] == "a" {
mutate {
add_field => { "tet" => "world2" }
}
}
Works perfectly fine when the message is "a".
(3)
if [message] in ["a"] {
mutate {
add_field => { "tet" => "world2" }
}
}
This does not work. If the message is "a" the check still fails and no field is added to my event.
Why does the last check fail? Is this a bug? I imagine that with typing, logstash does not thing that "a" is supposed to be a 1 element array, but I am not sure about that.
If you could also point me to some docs that explain this behaviour :)
Thanks
回答1:
This is some tricky behavior, but I believe I worked out why this is happening. This is probably some unintended behavior created by the double use of square brackets []
as array and field name delimiters.
When there are multiple, comma-separated elements between the brackets, logstash reads ["a","b"]
as an array. When there is only one element, logstash reads a field name, so the check in ["a"]
looks for a field named "a"
and its value.
Proof:
Filter:
mutate {
add_field => {'"pop"' => "corn"}
}
if "corn" in ["pop"] {
mutate {
add_tag => ["zing"]
}
}
Input:
foo
Output:
{
"message" => "foo",
"@version" => "1",
"@timestamp" => "2016-07-05T20:08:44.297Z",
"host" => "4244ed3ff45a",
"\"pop\"" => "corn",
"tags" => [
[0] "zing"
]
}
来源:https://stackoverflow.com/questions/38146651/logstash-in-check-for-array-only-works-with-more-than-1-element