dear,
from a source (winlogbeat 7.11) I'm getting the messages which should contain specific type, but sometime, the type is not the type expected and elastic won't index the data.
i would like to have a condition in logstash which will check, if valid type is given and if it is not, then the field will be removed. i'm not sure how to achiveve this.
approx. example of what i would like to have:
# failed to parse field [winlog.event_data.IpPort] of type [integer]
#if ( "" in [winlog][event_data][IpPort] ) {
# grok {
# match => { "[winlog][event_data][UtcTime]" => "%{IP}" }
# break_on_match => true
# mutate { remove_field => [ "[winlog][event_data][IpPort]" ] }
# }
#}
thanks for ideas