How to remove fields with - values in logstash filter?

Anusha_Kusanghi · December 3, 2021, 11:31am

I have a patterns like :

2021-10-15 20:00:13 2396 tstur1 /ftp/workspace/ this is message
2020-10-15 18:00:13 - - this is the second message
The fields are Date, Time, SessionId, path and message.
The grok pattern used is :
%{DATE:date} %{TIME:time} %{DATA:sessionid} %{DATA:username} %{DATA:path} %{GREEDYDATA:message}

is it possible to do a dynamic filter in logstash that will remove any fields with - value?

AquaX · December 3, 2021, 4:39pm

Absolutely!
After your grok statement you can write an if statement.

if [sessionid] == "-" {
   mutate {
      remove_field => ["sessionid"]
   }
}

Badger · December 3, 2021, 7:13pm

Another possible solution is a prune filter with the blacklist_values options.

Anusha_Kusanghi · December 6, 2021, 9:58am

thank you @AquaX for the help

Anusha_Kusanghi · December 6, 2021, 9:58am

thank you @Badger it worked

system · January 3, 2022, 9:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.