How to escape sprintf (to compare against an uninterpolated value)

Hi all, I'm on Elastic 7.10.2, and I noticed a problem with my processing. Some incoming data has tried to set a field using a sprintf string, but the sprintf expression did not result in a replacement, so I'm left with a field that contains an uninterpolated string. This is resulting in Elasticsearch complaining because there is no pipeline with a name of (literally) %{[@metadata][pipeline]}

(I should point out that this is not a standard Elastic deployment, so please just take it as given that normally there would normally be a [@metadata][pipeline], but some beats (in this case Journalbeat) doesn't set one, which exposed an issue from earlier in my processing.

I'm trying to create a filter to clean up such cases, but to do that I need to compare something with ${[@metadata][pipeline]} (there are some other examples too). Problem is, I can't seem to escape this so I get a literal sequence of '$' '{' ...

I'm going to fix this properly in my upstream processing, but it seems like something that would useful to know how to do.

Any clues?

Things I've tried:

  • \%
  • %%
  • single quotes

None appear to have worked, and I do have config.support_escapes set to true.

I do have a regular expression of =~ /^%/ that works, but I don't think =~ /%{/ worked. Would be nice to have something faster than a regex for such a simple thing.


I cannot test it right now, but I think a prune filter should be able to do this. The default value of blacklist_names is to remove failed sprintf references. It should be simple to do the same for blacklist_values,

I knew there was a reason I like prunes, thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.