Empty variable vs. non-existent one

pgf · October 10, 2019, 6:32pm

Is there any way to tell the difference between an empty variable and a non-existent one? The code
if [v1] == "" {
do something
}
acts exactly the same whether the variable exists and is empty or does not exist at all. The trouble is that the following code has two different results depending on whether the variable exists or not:
if [v1] == "" {
mutate { add_field => { "[v2]" => "value2" } }
}

If [v1] does not exist then [v2] contains "value2". If [v1] exists and is empty then [v2] is an array ["", "value2"]. If I change the add_field to update then in the first case [v2] does not get created (cannot update a non-existent variable) and [v2] is a scalar "value2".

Badger · October 11, 2019, 2:39pm

The usual way to test for existence is

if [v1] { [...]

I know of no way to distinguish between a nil value and non-existence.

pgf · October 11, 2019, 12:07pm

Very irritating. This makes it virtually impossible to ensure in Logstash that key fields will always be present. Seems like a very big deficiency.

Thanks for the answer @Badger.

Badger · October 11, 2019, 3:38pm

Does mutate+coerce help? And note that using event.include? in a ruby filter does allow one to distinguish between a nil value and non-existence. That's one more thing I learned today

pgf · October 11, 2019, 6:20pm

@Badger I played with coerce a bit but it seems to have absolutely no effect. I need to try it in more controlled circumstances. I have thought about the ruby filter but I am worried about performance. Good suggestions though. I have also tried variations on update and replace which sound almost exactly the same in the doc.