logstash check if field exists

Question

Welcome To Ask or Share your Answers For Others

logstash check if field exists

asked Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

I have log files coming in to an ELK stack. I want to copy a field (foo) in order to perform various mutations on it, However the field (foo) isn't always present.

If foo doesn't exist, then bar still gets created, but is assigned the literal string "%{foo}"

How can I perform a mutation only if a field exists?

I'm trying to do something like this.

if ["foo"] {
  mutate {
    add_field => "bar" => "%{foo}
  }
}

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1.3k views

1 Answer

深蓝 · Answer 1 · 2021-10-23T17:44:45+0000

To check if field foo exists:

1) For numeric type fields use:

 if ([foo]) {
    ...
 }

2) For types other than numeric like boolean, string use:

if ("" in [foo]) {
    ...
}

Categories

logstash check if field exists

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags