Check if nested field exists not working

cdalexndr · September 11, 2019, 3:10pm

I have the following code in my logstash configuration where gsub is not applied

    if[exception][stacktrace] {
        mutate {
            gsub => ["exception.stacktrace","\s*at\s(?!package).*", ""]
        }
    }

The exception.stacktrace field is set in a grok match above.
Using the same message, if I remove the conditional, then the gsub is applied as expected, thus the conditional is not working!

I need to use the conditional because my grok matcher has two patterns, one with stacktrace other without it.

Is this a bug, or it's not the correct way to check a nested field existance?

Logstash 7.3.0

Badger · September 11, 2019, 3:22pm

If that is a nested field then you have to refer to it as "[exception][stacktrace]" in the gsub. If it has a period in its name then you need to refer to it as [exception.stacktrace] in the conditional.

cdalexndr · September 11, 2019, 6:32pm

Removing only the conditional, and keeping the field name "exception.stacktrace" in gsub works, and my stacktrace is correctly processed, so the issue is not gsub field name:

 mutate {
            gsub => ["exception.stacktrace","\s*at\s(?!package).*", ""]
        }

system · October 9, 2019, 6:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.