How to drop a nested field that has an empty value?

Robo · March 30, 2020, 9:54am

it's possible to drop a nested field in case the value is empty?
example:
"log":{"business_information":""}

background:
this is a workaround to avoid mapping issues, as other application logs are creating fields like:
log.business_information.id
log.business_information.trace

log.business_information is mapped as an object. In case an event with empty value will appear, this event is lost due mapping conflict:
object mapping for [log.business_information] tried to parse field [business_information] as object, but found a concrete value"

Badger · March 30, 2020, 3:06pm

I have not tested it but I would expect

if [log][business_information] == "" { drop {} }

to work.

Robo · March 31, 2020, 7:57am

Thanks for the hint.
We ended up with this configuration:

if [log][business_information] =~ /.*/ {
mutate {
rename => ["[log][business_information]", "[log][business_information_text]"]
}

and in second step the new field is deleted, in case it's empty.

Topic		Replies	Views
Removing nested fields with empty field names Logstash	4	3035	August 1, 2018
Logstash Json remove nested properties that have empty field name Logstash	2	1005	February 25, 2021
How can i remove field? Logstash	3	676	July 6, 2017
Logstash if message is empty, drop the entire row Logstash	10	8101	April 3, 2020
Remove fields with empty value Logstash	6	5890	May 29, 2020

How to drop a nested field that has an empty value?

Related topics