this is mainly because I could not find an answer to this and I want to know how it works/why it works.

Here are my filter examples:

(1):

if [message] in ["a","b"] {
      mutate {
          add_field => { "tet" => "world2" }
      }
}

This works perfectly fine for messages that are "a" or "b". A new field is added. Perfect.

(2)

if [message] == "a" {
      mutate {
          add_field => { "tet" => "world2" }
      }
}

Works perfectly fine when the message is "a".

(3)

if [message] in ["a"] {
      mutate {
          add_field => { "tet" => "world2" }
      }
}

This does not work. If the message is "a" the check still fails and no field is added to my event.

Why does the last check fail? Is this a bug? I imagine that with typing, logstash does not thing that "a" is supposed to be a 1 element array, but I am not sure about that.

If you could also point me to some docs that explain this behaviour :)

Thanks

This is some tricky behavior, but I believe I worked out why this is happening. This is probably some unintended behavior created by the double use of square brackets [] as array and field name delimiters.

When there are multiple, comma-separated elements between the brackets, logstash reads ["a","b"] as an array. When there is only one element, logstash reads a field name, so the check in ["a"] looks for a field named "a" and its value.

Proof:

Filter:

mutate {
    add_field => {'"pop"' => "corn"}
  }
if "corn" in ["pop"] {
 mutate {
    add_tag => ["zing"]
  }
}

Input:

foo

Output:

{
       "message" => "foo",
      "@version" => "1",
    "@timestamp" => "2016-07-05T20:08:44.297Z",
          "host" => "4244ed3ff45a",
       "\"pop\"" => "corn",
          "tags" => [
        [0] "zing"
    ]
}