I'm trying to drop logs from the config that contain a field with blank string for a particular field. e.g.
if [foo] == "" { drop{} }
This is not working as when the logs come through it shows as "foo" => "\"\""
A little background, I'm using the kv { } filter prior to this conditional. Also using stdout { codec => rubydebug }.
I always use the following to check for an empty string.
if [foo] !~ /.+/ { drop { } }This is seeming to drop everything. Even if there is content in foo. Some logs come with foo="" and some come with foo="bar". When I put this conditional in the config, I don't receive any logs.
Hello,
I would try something like
if [foo] and [foo]=="" {drop { } }
regards,
With "foo" => "\"\"" the string isn't empty; it contains two double quotes. Perhaps you should use the mutate filter's gsub option to remove leading and trailing double quotes before your conditional?
This did not seem to work either, same behavior as previously described...this drops all messages.
So I ended up having to modify the data that was coming in, and got it working. I think the above solutions would have worked in a different scenario.
Thanks everyone for your help
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.