How to drop a nested field that has an empty value?

Robo · March 30, 2020, 9:54am

it's possible to drop a nested field in case the value is empty?
example:
"log":{"business_information":""}

background:
this is a workaround to avoid mapping issues, as other application logs are creating fields like:
log.business_information.id
log.business_information.trace

log.business_information is mapped as an object. In case an event with empty value will appear, this event is lost due mapping conflict:
object mapping for [log.business_information] tried to parse field [business_information] as object, but found a concrete value"

Badger · March 30, 2020, 3:06pm

I have not tested it but I would expect

if [log][business_information] == "" { drop {} }

to work.

Robo · March 31, 2020, 7:57am

Thanks for the hint.
We ended up with this configuration:

if [log][business_information] =~ /.*/ {
mutate {
rename => ["[log][business_information]", "[log][business_information_text]"]
}

and in second step the new field is deleted, in case it's empty.

system · April 28, 2020, 7:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Question elk stack Logstash	4	106	October 4, 2023
Removing nested fields with empty field names Logstash	4	2927	August 1, 2018
Logstash Json remove nested properties that have empty field name Logstash	2	953	February 25, 2021
Remove fields with empty value Logstash	6	5376	May 29, 2020
Conditional for empty string in field Logstash	7	11257	April 18, 2017

How to drop a nested field that has an empty value?

Related topics