I tried to use the same method as for arrays for a hash, that in our case could some times be empty:
if [geoip] == [] {
mutate {
remove_field => ["geoip"]
}
}
Unfortunately, the check is not working and the empty geoip-hashes slip into the outputs. I then tried to compare [geoip] with {} and got a syntax error. I then tried "{}" (quoted), which had no effect -- the empties still made it. Is it possible to detect an empty hash -- and remove it? Thanks!
I don't think the Logstash configuration language really has hash literals in the same way it has array literals in which case this isn't possible except with a ruby filter.
Could you show, how to do it with the ruby-filter?
Untested but probably works:
event.remove('name-of-field') if !event.get('name-of-field').nil? && event.get('name-of-field').empty?Thanks, Magnus, I'll try it. Meanwhile, generally speaking, should not the removal of the last key->value pair from a hash remove the now-empty hash automatically?
Ruby does not do it, but Logstash probably can -- and should...
By the way, the get() method is not available in Logstash-2.3, which we are currently using. Fortunately, an event's field can still be accessed through the [] notation (not documented anywhere I could find). But if the field does not exist, the result will be nil, which can not be checked for empty?ness, so my filter reads thus:
ruby {
# Initialize the suspects once:
init => "SuspectFields = ['geoip', 'cdn']"
code => "
SuspectFields.each do |field|
event.remove(field) if event[field].nil? or event[field].empty?
end
"
}
This seems to work. Thanks again for your advice.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.