HTTP output - conditional mapping

somni · February 21, 2019, 11:07pm

I'm doing mapping on my http output to slim down which fields for event logs are included. Currently I'm doing this in the http output:
mapping => {
"event" => {
"event_id" => "%{event_id}"
"message" => "%{message}"
"log_name" => "%{log_name}"
}
}

Challenge is, some of the logs coming in dont contain some of the fields i'm referencing in the mapping, yet the raw %{fieldname} is still passed in the output. Is it possible to do conditional mapping in outputs? If not, what's the best way to do the conditional mapping before passing to output?

Thanks

Badger · February 21, 2019, 11:50pm

You could use mutate+add_field to add fields to a field on the event called event. Then you could remove any fields from inside event that start with "%{". Then add event to the mapping perhaps?

    ruby {
        code => '
            event.get("event").each { | k, v |
                if v.start_with? "%{"
                    event.remove("[event][#{k}]")
                end
            }
        '
    }

system · March 21, 2019, 11:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.