elasticsearch 带有AND运算符的日志存储中的多个IF ELSE条件

如果我在logstash中使用这个逻辑，它会工作

如果[msg]中的“a”或[msg]中的“b”

但我需要使用的是运动和调节。如果我用和替换或，那么它将失败。有什么想法吗

这将失败

if "a" in [msg] and "b" in [msg]

我想做的是，无论何时选择字符串a和b并使用定义的过滤器，都非常感谢您提供的任何帮助

这对我很有用

filter {  
  grok {
    match => [ "message", "%{GREEDYDATA:my_data}" ]
    tag_on_failure => [ "_failure", "_grokparsefailure" ]
  }

  if "sandeep" in [my_data] and "kanabar" in [my_data]{
    mutate {
      add_field => { "status" => "Both name and surname present"}
    }
  }
  else if "sandeep" in [my_data] or "kanabar" in [my_data]{
    mutate {
      add_field => { "status" => "either name/surname present"}
    }
  }
}

试运行输出：

Input --> name:"sandeep test"
Output:
{
    "@timestamp" => 2019-10-31T11:27:33.941Z,
       "my_data" => "name:\"sandeep test\"",
      "@version" => "1",
          "host" => "M22959216G3QD",
       "message" => "name:\"sandeep test\"",
        "status" => "either name/surname present"
}
Input --> :"test kanabar"
Output:
{
    "@timestamp" => 2019-10-31T11:27:43.389Z,
       "my_data" => "name:\"test kanabar\"",
      "@version" => "1",
          "host" => "my_host",
       "message" => "name:\"test kanabar\"",
        "status" => "either name/surname present"
}
Input --> :"sandeep kanabar"
Output:
{
    "@timestamp" => 2019-10-31T11:27:50.516Z,
       "my_data" => "name:\"sandeep kanabar\"",
      "@version" => "1",
          "host" => "M22959216G3QD",
       "message" => "name:\"sandeep kanabar\"",
        "status" => "Both name and surname present"
}

---

这是正确的方法，你能分享你的数据样本，这样人们就可以试着找出错误吗？是的，它已经正确了…我唯一的错误是关于使用的字符串，它应该是大写而不是小写！。。感谢@leandrojmpthanks@Sandeep Kanabar对细节的澄清。