How to remove event with "'<nil>'" value on an IP type field

Thuunder7 · May 9, 2022, 4:41pm

Hello,

I am trying to drop events every time the field [dns.resolved_ip] is ''. I have tried multiple approachs but without successs.

"reason"=>"failed to parse field [dns.resolved_ip] of type [ip] in document with id 'G5mrqYABOI1CdVDindTb'. Preview of field's value: ''", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'' is not an IP string literal."

Two filters i tried to use:

filter {
    if [agent][type] == "packetbeat" {
        if ![dns][resolved_ip] {
           drop{}
        }
    }
}

and i also have tried:

filter {
    if [agent][type] == "packetbeat" {
        if [dns][resolved_ip] == "<nil>" { #i also tried with "'<nil>'"
           drop{}
        }
    }
}

Do you have any guesses?
Thank you,

aaron-nimocks · May 9, 2022, 5:32pm

Preview of field's value: ''" says the value is '' not <nil>.

Try just if [dns][resolved_ip] == "" to match that value.

Thuunder7 · May 9, 2022, 5:47pm

I don't know why but i probably deleted the correct logstash log.

Preview of field's value: '<nil>'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'<nil>' is not an IP string literal."

The above log is the correct one.

aaron-nimocks · May 9, 2022, 6:08pm

What you have is correct.

Maybe the if [agent][type] == "packetbeat" condition isn't being met?

input {
  generator {
    lines => [ '{ "msg": "<nil>" }' ]
    count => 1
    codec => json
  }
}
filter {
  if [msg] == "<nil>" {
    mutate { add_tag => "condition met" }
  }

}
output {
  stdout { codec =>  "json_lines" }
}

Output

{
    "msg": "<nil>",
    "@timestamp": "2022-05-09T18:07:02.875Z",
    "tags": [
        "condition met"
    ]
}

Thuunder7 · May 9, 2022, 6:29pm

The condition if [agent][type] == "packetbeat" is being met, since i have a remove_fields and it is working. I can see the documents being indexed on elastic without the fields i removed.
Like this:

filter {
    if [agent][type] == "packetbeat" {
        if [dns][resolved_ip] == "<nil>" {
          drop {}
        }
        mutate {
           remove_field => ["[dns][additionals_count]", "[dns][opt][udp_size]"]
        }
    }
}

Badger · May 9, 2022, 7:11pm

The packetbeat documentation says dns.resolved_ip is an array. Does it work if you use this?

    if [dns][resolved_ip][0] == "<nil>" {

Thuunder7 · May 9, 2022, 7:45pm

Your solution seems to work! (from the time interval that i am checking the logs, they didn't appear again)
Thank you very much for both of your answers.

Topic		Replies	Views
Filter to drop all packets that are null not working Logstash	4	712	March 29, 2017
How to remove any field matching a string Logstash	2	941	July 6, 2017
Ignore the entire message if one field is nil Logstash	3	331	March 24, 2020
Change Nil values to set default value Logstash	4	441	April 21, 2023
Remove fields with empty value Logstash	6	5895	May 29, 2020

How to remove event with "'<nil>'" value on an IP type field

Related topics