How to drop a nested field that has an empty value?

Robo · March 30, 2020, 9:54am

it's possible to drop a nested field in case the value is empty?
example:
"log":{"business_information":""}

background:
this is a workaround to avoid mapping issues, as other application logs are creating fields like:
log.business_information.id
log.business_information.trace

log.business_information is mapped as an object. In case an event with empty value will appear, this event is lost due mapping conflict:
object mapping for [log.business_information] tried to parse field [business_information] as object, but found a concrete value"

Badger · March 30, 2020, 3:06pm

I have not tested it but I would expect

if [log][business_information] == "" { drop {} }

to work.

Robo · March 31, 2020, 7:57am

Thanks for the hint.
We ended up with this configuration:

if [log][business_information] =~ /.*/ {
mutate {
rename => ["[log][business_information]", "[log][business_information_text]"]
}

and in second step the new field is deleted, in case it's empty.

system · April 28, 2020, 7:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Question elk stack Logstash	4	106	October 4, 2023
Conditional for empty string in field Logstash	7	11239	April 18, 2017
Error creating new field with the valu of a nested field Logstash	4	241	May 3, 2022
How to remove/drop entire logs after checking a condition in nested json fields Logstash	4	258	August 9, 2022
If condition for null in json field Logstash	2	218	September 8, 2023

How to drop a nested field that has an empty value?

Related Topics