Check existence of a field and checking null value in field

DavidL · July 6, 2015, 5:24pm

I have different types of logs generated by the software we user in one big file. I am trying to assign "log_type" to different types of logs in my file. Since they have different number of columns(I used csv plugin to parse them), I tried to differentiate them by checking the existence of unique field. In the below example, the top event doesn't have column 16, but the bottom one does.

So my config looked like this:

if [column16] {
... "type1"
}else {
... "type2"
}

but as it shows in the picture, they got assigned the same type number, I think the above if statement doesn't work, it can't tell the difference between a null value in the field and the field doesn't exist.

any suggestions?

talevy · July 7, 2015, 6:15am

There does not seem to be a straightforward way to accomplish this.

I suggest using the ruby filter for now to call event.include?("[column16]") and add a tag based on that or something so that you can continue with your normal branch conditionals.

talevy · July 7, 2015, 8:53pm

filed an issue for this here: https://github.com/elastic/logstash/issues/3568

mbertani · April 5, 2016, 8:28pm

Developing further the idea of using the ruby filter, can you try something like this?

                    code => "
					if event['column16'] == nil
						event['log_type'] = 'type2'
					else
						event['log_type'] = 'type1'
					end					
			"
	}```

Topic		Replies	Views
Check if event field does not exist when 'nil' should be considered as "exists" Logstash	2	761	October 18, 2021
How can I check event.field value from a file? Logstash	5	537	April 13, 2021
Conditionals: check field type Logstash	4	12964	July 6, 2017
Logstash ruby filter condition error Logstash	2	1013	March 20, 2019
Null validation in logstash Logstash	8	23734	July 6, 2017

Check existence of a field and checking null value in field

Related Topics