Clean method for adding field when the values may be missing?

jbrowe · May 2, 2022, 7:42pm

I have logs with variable field names. For example:

{"field_one":"first", "field_two":"second"}

("field_two":"second", "field_three": "third"}

To get the correct index mapping, I currently I use:

mutate {
     add_field => {
          "[field][one]" => "%{field_one}"
          "[field][two]" => "%{field_two}"
          "[field][three]" => "%{field_three}"
     }
}

This works, but I get the following indexed events:

[field][one] : "first", [field][two]: "second", [field][three]: "%{field_three}"

[field][one]: "%{field_one}",  [field][two]: "second", [field][three]: "third"

If a value is not present in the event, then the value for the added field is just "%{value}". Is there a cleaner way to do this without adding an if statement to every single field added?

system · May 30, 2022, 7:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Removing fields with certain value (or if mapping is not found) from the output Logstash	8	2295	June 12, 2019
How to add a new field and value with field name and value taken from another fields value? Logstash	2	515	February 5, 2019
Kibana search for events with missing fields Elasticsearch	2	5419	July 6, 2017
Add new field based on value in event_data Beats winlogbeat	3	797	September 29, 2017
Filter logstash - Add simple field Logstash	4	338	October 23, 2020

Clean method for adding field when the values may be missing?

Related topics