How I can delete element from array?

gleb · October 30, 2019, 1:28pm

Hello!

I receive messages like this: "app_risk = 0 app_risk =2" or "app_risk = 0"
After kv filter, I have field "app_risk": [ "0", "2"] or ["0"].
How I can delete the first element of array - "0", if app_risk[1] exist ?
I try to do in filter
if [app_risk [1]] == "1"{ mutate {remove_field => ["app_risk[0]"] }
but it is not work, because I receive an error with logstash configuration, as I understand I cant use [app_risk[1]], only [app_risk].
How I can do it on Logstash filter?

Thank you for help, good day!!

Badger · October 30, 2019, 2:40pm

That should be

if [app_risk][1] { mutate { remove_field => "[app_risk][0]" } }

Note that it will still be an array with a single member.

gleb · October 30, 2019, 3:04pm

Thank you a lot, it is help me!

system · November 27, 2019, 3:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.