Filter to drop all packets that are null not working

Ben_Hoffman · February 28, 2017, 5:18pm

So I wrote a filter to drop any event that has a certain field with a value of null:

 filter {
    if[type] == "flow" and [packet_source][ip] == "" {
            drop { }
    }
}

However, this does not work. Does anyone have any idea why? The names of the parameters are correct

Logstash version 5.2

jkuang · February 28, 2017, 8:26pm

Please provide the logstash configs and a sample line of data.

Ben_Hoffman · February 28, 2017, 8:30pm

Here is what my output looks like, and sometimes the "packet_source.ip" is empty, so I want to drop those packets.

As for my configs, I have the default ones, one set up for input from packetbeat, and that filter in my original post.

jkuang · March 1, 2017, 12:08am

Try the following:

 filter {
    if[type] == "flow" and !([packet_source][ip])  {
            drop { }
    }
}

system · March 29, 2017, 12:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash null fields to drop Logstash	5	1938	April 1, 2019
Drop filter in Logstash filter not working for the below event Logstash	2	176	October 13, 2023
IF conditional not dropping field Logstash	2	520	February 19, 2018
Does the JSON filter create `null` value if parsing empty string? Logstash	3	2707	January 30, 2018
Logstash filter no longer works after upgrading Logstash	2	293	June 12, 2018