I have a logstash pipeline that its filter part looks like this:
filter {
if condition {
prune {
blacklist_names => ["^cat[1-8]$","^classifier.version$","^accessory_check$"]
}
http {
url => aURL
query => {
// relevant parts
}
verb => GET
body_format => "json"
ecs_compatibility => "disabled"
add_field => {
"cat1" => "%{[body][cat1]}"
"cat2" => "%{[body][cat2]}"
"cat3" => "%{[body][cat3]}"
"cat4" => "%{[body][cat4]}"
"cat5" => "%{[body][cat5]}"
"cat6" => "%{[body][cat6]}"
"cat7" => "%{[body][cat7]}"
"cat8" => "%{[body][cat8]}"
"accessory_check" => "%{[body][accessory_check]}"
"classifier.version" => "${CLASSIFIER_LATEST_VERSION}"
}
remove_field => ["body","headers","@timestamp","@version"]
}
}
}
As you know if for example "%{[body][cat1]}" be null then the value of cat1 would be string "%{[body][cat1]}" . but I want the value of cat1 be "" instead of "%{[body][cat1]}".
I could solve the problem by changing the pipeline like this:
filter {
if condition {
prune {
blacklist_names => ["^cat[1-8]$","^classifier.version$","^accessory_check$"]
}
http {
url => aURL
query => {
// relevant parts
}
verb => GET
body_format => "json"
ecs_compatibility => "disabled"
# add_field => {
# "cat1" => "%{[body][cat1]}"
# "cat2" => "%{[body][cat2]}"
# "cat3" => "%{[body][cat3]}"
# "cat4" => "%{[body][cat4]}"
# "cat5" => "%{[body][cat5]}"
# "cat6" => "%{[body][cat6]}"
# "cat7" => "%{[body][cat7]}"
# "cat8" => "%{[body][cat8]}"
# "accessory_check" => "%{[body][accessory_check]}"
"classifier.version" => "${CLASSIFIER_LATEST_VERSION}"
# }
remove_field => ["body","headers","@timestamp","@version"]
}
}
if [body][cat1] {
mutate{ add_field => {"cat1" => "%{[body][cat1]}"} }
} else {
mutate{ add_field => {"cat1" => ""} }
}
if [body][cat2] {
mutate{ add_field => {"cat2" => "%{[body][cat2]}"} }
} else {
mutate{ add_field => {"cat2" => ""} }
}
// and others
}
but as you can see its ugly. I wonder is there any alternative that reaches me to the same goal?