I'm using a jms input to index data from queues, some fields contains two values ("2018-07-12T23:30:00.000+0000" and "2018-07-12T00:00:00.000+0000") that I have to replace with null value. How can I resolve this?
Thank you
Does this work for you?
if [somefield] == "2018-07-12T23:30:00.000+0000" or [somefield] == "2018-07-12T00:00:00.000+0000" {
ruby { code => 'event.set("somefield", nil)' }
}
Or perhaps
mutate { gsub => [ "somefield", "2018-07-12T(23:30|00:00):00.000\+0000", "" ] }
depending on what you mean by null.
Hello @Badger,
Thank you for your response, it works for me.
Do you have an idea about how to generalize this, I mean instead of 2018-07-12 I want to replace it by today ( so as to match today : "todayT23:30:00.000+0000"). I tried something like that, but it doesn't work :
if [scheduled_trigger_date] == "%{+YYYY-MM-dd}T23:30:00.000+0000" or [scheduled_trigger_date] == "%{+YYYY-MM-dd}T00:00:00.000+0000" {
ruby { code => 'event.set("scheduled_trigger_date", nil)' }
}
Thank you
I resolve it.
I post the solution for someone who will face the same problem :
mutate {
add_field => {
"replace_scheduled_trigger1" => "%{+YYYY-MM-dd}T23:30:00.000+0000"
"replace_scheduled_trigger2" => "%{+YYYY-MM-dd}T00:00:00.000+0000"
}
}
if [scheduled_trigger_date] == [replace_scheduled_trigger1] or [scheduled_trigger_date] == [replace_scheduled_trigger2] {
ruby { code => 'event.set("scheduled_trigger_date", nil)' }
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.