Hello all,
i want to remove "ZC" in a field and converted in a negative float
"account_value" => "767.19ZC",
"@timestamp" => 2020-01-06T23:00:00.000Z
why this statement is not working?
filter{
if "ZC" in "field" {
mutate {
gsub => [
"field","ZC",""
]
}
}
}
without "if" statement works
filter{
mutate {
gsub => [
"field","ZC",""
]
}
}Hi,
The if statement does not look for field string content but exact value,
for example you can use this if your field was array and ZC was one of the value of that array
array = [ 'ZC' , 'foo' , 'bar' ]
the IN statement implies to match the exact value you can use regular expressions with:
if "field" =~ "REGEXP"
Hello grumo35,
thank you but i've solved. The problem was syntax. Change "field" for [field], it works perfectly now.
filter{
if "ZC" in [field] {
mutate {
gsub => [
"field","ZC",""
]
}
}
}Well, I would say that is the most frequent case:
if [field] in ["apples","oranges","pineapples"] { # looks for exact match between the complete field and any of the array elements
but, checking carefully the documentation on conditionals: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals
It also allows looking for "string in field", equivalent to the regex example you posted.
if "apple" in [field] { # will match both "apples" and "pineapples"
I would add that, working with in conditionals, there is a bug that has to be taken into account: one-element array comparison doesn't work.
if [field] in ["apples"] { # won't match even if field = "apples"
@nino
Thanks for adding your working configuration 
wow didnt knew this could work like this, thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.