Empty variable vs. non-existent one

Elastic Stack Logstash
1

Is there any way to tell the difference between an empty variable and a non-existent one? The code
if [v1] == "" {
do something
}
acts exactly the same whether the variable exists and is empty or does not exist at all. The trouble is that the following code has two different results depending on whether the variable exists or not:
if [v1] == "" {
mutate { add_field => { "[v2]" => "value2" } }
}

If [v1] does not exist then [v2] contains "value2". If [v1] exists and is empty then [v2] is an array ["", "value2"]. If I change the add_field to update then in the first case [v2] does not get created (cannot update a non-existent variable) and [v2] is a scalar "value2".

2

The usual way to test for existence is

if [v1] { [...]

I know of no way to distinguish between a nil value and non-existence.

3

Very irritating. This makes it virtually impossible to ensure in Logstash that key fields will always be present. Seems like a very big deficiency.

Thanks for the answer @Badger.

4

Does mutate+coerce help? And note that using event.include? in a ruby filter does allow one to distinguish between a nil value and non-existence. That's one more thing I learned today :slight_smile:

5

@Badger I played with coerce a bit but it seems to have absolutely no effect. I need to try it in more controlled circumstances. I have thought about the ruby filter but I am worried about performance. Good suggestions though. I have also tried variations on update and replace which sound almost exactly the same in the doc.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.