HTTP output - conditional mapping

somni · February 21, 2019, 11:07pm

I'm doing mapping on my http output to slim down which fields for event logs are included. Currently I'm doing this in the http output:
mapping => {
"event" => {
"event_id" => "%{event_id}"
"message" => "%{message}"
"log_name" => "%{log_name}"
}
}

Challenge is, some of the logs coming in dont contain some of the fields i'm referencing in the mapping, yet the raw %{fieldname} is still passed in the output. Is it possible to do conditional mapping in outputs? If not, what's the best way to do the conditional mapping before passing to output?

Thanks

Badger · February 21, 2019, 11:50pm

You could use mutate+add_field to add fields to a field on the event called event. Then you could remove any fields from inside event that start with "%{". Then add event to the mapping perhaps?

    ruby {
        code => '
            event.get("event").each { | k, v |
                if v.start_with? "%{"
                    event.remove("[event][#{k}]")
                end
            }
        '
    }

system · March 21, 2019, 11:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using HTTP output plugin and mapping tag Logstash	3	1210	May 8, 2019
How to refer to the whole modified event inside http output plugin Logstash	3	194	July 28, 2023
Removing fields with certain value (or if mapping is not found) from the output Logstash	8	2295	June 12, 2019
Ruby Filter output to Field Logstash	3	1951	July 6, 2017
How to generate only events in output Logstash	2	320	April 24, 2018

HTTP output - conditional mapping

Related topics