Can not access dot (eg foo.bar) fields in logstash


(ankur) #1

How to access dot fields in logstash.

if [foo.bar] == "xyz" {
grok {
add_field => {"new_field", "pqr"}
}
}

Field "foo.bar" exists and its value is "xyz" but its not going in the 'if' block

I also tried foo.bar but no luck.

logstash -1.5.3

Thanks


(Magnus B├Ąck) #2

Quoting the Field References documentation:

The syntax to access a field is [fieldname]. If you are referring to a top-level field, you can omit the [] and simply use fieldname. To refer to a nested field, you specify the full path to that field: [top-level field][nested field].


(ankur) #3

Thanks so much!


(system) #4