How to remove fields with - values in logstash filter?

Anusha_Kusanghi · December 3, 2021, 11:31am

I have a patterns like :

2021-10-15 20:00:13 2396 tstur1 /ftp/workspace/ this is message
2020-10-15 18:00:13 - - this is the second message
The fields are Date, Time, SessionId, path and message.
The grok pattern used is :
%{DATE:date} %{TIME:time} %{DATA:sessionid} %{DATA:username} %{DATA:path} %{GREEDYDATA:message}

is it possible to do a dynamic filter in logstash that will remove any fields with - value?

AquaX · December 3, 2021, 4:39pm

Absolutely!
After your grok statement you can write an if statement.

if [sessionid] == "-" {
   mutate {
      remove_field => ["sessionid"]
   }
}

Badger · December 3, 2021, 7:13pm

Another possible solution is a prune filter with the blacklist_values options.

Anusha_Kusanghi · December 6, 2021, 9:58am

thank you @AquaX for the help

Anusha_Kusanghi · December 6, 2021, 9:58am

thank you @Badger it worked

Topic		Replies	Views
How to remove a field Logstash	2	458	July 6, 2017
Remove a value in grok filter Logstash	9	2952	July 6, 2017
Unable to remove the field Logstash	2	702	July 6, 2017
Logstash: filter a dynamic field in the log line Logstash	5	592	July 6, 2017
Delete fields in events Logstash	3	495	May 18, 2017