How to filter empty objects in Logstash?

ppuschmann · December 3, 2020, 6:41am

Hi,
given you get the following access-log:

{
  "container_id": "b62946591d90f24",
  "service": "slash",
  "bytes_received": 0,
  "input": {},
  "type": "filebeat",
  "protocol": "HTTP/1.1",
  "bytes_sent": 8236,
  "host": "docker-48",
  "response_time": 34,
  "tags": [
    "filebeat",
    "beats_input_raw_event"
  ],
  "query_string": {},
  "log_type": "access",
  "status": 200,
  "loglevel": "info",
  "request_method": "GET",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36",
  "uri": "/services/my-service",
  "remote_address": "172.17.0.1",
  "stream": "stdout"
}

The mapping for the field query_string is set to text.
This causes ES to complain, because query_string is an (empty) object.

How would you filter for this (sort of) invalid field in Logstash?
(or prevent the creation)

Tools: Docker, filebeat v6 + Logstash v6 (with the idea to upgrade to v7 soon)

Raynald · December 4, 2020, 4:27pm

You could check if value of this field is null, and then set value with empty value like this :
ruby { code => " if event.get('query_string') == nil then event.set('query_string', '') end " }

system · January 1, 2021, 4:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.