I have a document that contains multiple fields with name metrics.time.*. I would like to be able to drop all fields from the event that have key => metrics.time* and value < 1. Can this be accomplished? I tried doing something like this which doesn't work
filter {
ruby {
code => "
event.to_hash.each { |key, value|
if key =~ metrics.time and value <=1 then
event.remove(key)
}
"
}
}
If you run this configuration the metrics.time.foo field will have been removed from the event
input { generator { count => 1 lines => [ '' ] } }
filter {
mutate { add_field => { "[metrics.time.foo]" => 0.8 } }
mutate { convert => { "[metrics.time.foo]" => "float" } }
ruby {
code => '
event.to_hash.each { |key, value|
if key =~ /metrics.time/ and value <= 1 then
event.remove(key)
end
}
'
}
}
output { stdout { codec => rubydebug { metadata => false } } }
If that does not work for your events then make sure that value is a float (or .to_f it in the ruby filter, but note that for things that are not actually floats .to_f will return zero). Also, do you really have periods in name of the field or do you have [metrics][time][someField]?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.