Coerce seems not working

Jan_Vavra · August 17, 2023, 1:13pm

I am constructing datetime from directory structure, eg. 2023\08\17\15\08 represent files stored at 2023-08-17 15:08. I have this logstash.conf that parses each directory name into variables and hours and minutes are optional.

if [type] =~ "mytype" {
    grok {
      match => {"message" => [
        ## Info
        '%{TIMESTAMP_ISO8601:p_date} .* \[BACKUP\] "(?<p_dir_year>\d{4})[^\d](?<p_dir_month>\d{2})[^\d](?<p_dir_day>\d{2})(?:[^\d](?<p_dir_hour>\d{2})[^\d](?<p_dir_minute>\d{2})|)": %{NUMBER:p_dir_files}'
      ] }
    }
    mutate {
      coerce => {
        "p_dir_hour" => "00"
        "p_dir_minute" => "00"
      }
    }
    mutate {
      add_field => {
        "p_dir_timestamp" => "%{p_dir_year}-%{p_dir_month}-%{p_dir_day} %{p_dir_hour}:%{p_dir_minute}"
      }
    }

For case where there is a structure only for day, eg. 2023\08\16 I have in grok regex (?:...|) part. Parsing in variables works fine but if I want to assing default value usign coerce, the construction of iso8601 string variable p_dir_timestamp has this value
"2023-08-17 %{p_dir_hour}:%{p_dir_minute}"

So no default value is assigned.
For dirs with hours and minutes is everything ok.

What I am doing wrong ?

Rios · August 18, 2023, 7:34pm

coerce - Set the default value of a field that exists but is null

For instance, if "p_dir_hour" => nil, you can use coerce to set default like 0 or empty string "".
I think your fields do not exist at all, you can add:

if ![p_dir_hour] {
    mutate { coerce => { "p_dir_hour" => "00" } }
}

For a nil/null validation you should use ruby.

Jan_Vavra · August 22, 2023, 7:33am

Ok. It also works:

 if ( ! [p_dir_hour])
    {
      mutate {
        add_field => {
          "p_dir_hour" => "00"
        }
      }
    }

system · September 19, 2023, 7:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.