Checking for existence of nested field

danieljamesscott · November 11, 2015, 12:46pm

Hi,

Some of my grok filters parse my message fields into 2 parts:

             "message" => [
    [0] "2015-11-11 12:44:38.225 +0000  INFO [pool-1-thread-1] com.example.JavaClass: logmessage",
    [1] "logmessage"
],

I'm trying to replace the 'message' field with the parsed message, and store the original message in another field:

   if [message][1] =~ /.+/ {
      mutate {
           add_field => {"original_message" => "%{[message][0]}"}
           }
      mutate {
           replace => {"message" => "%{[message][1]}"}
           }
   }

This works fine for messages which do have [0] and [1] parts, but messages which do not have subfields are coming out with literal '0' and '1' in the field values, according to 'rubydebug':

{
         "message" => "1",
         "original_message" => "0"
}

Any ideas what I'm doing wrong?

Thanks,

Dan

magnusbaeck · November 11, 2015, 12:48pm

Can't you just avoid capturing message twice, perhaps by renaming message to original_message prior to the grok filter?

danieljamesscott · November 11, 2015, 1:10pm

Thanks - I've worked around it by using log_message in my grok's, to hold the parsed log message