I have multiple fields that I need to check and, if they meet a shared value, it needs to be mutated. Is it possible to do something like this:
if "pass" in [field1] or [field2] or [field3] {
mutate {
replace "%{FieldThatMeetsEvaluation}" => "Pass"
}
}
So I guess two questions here:
Bump
Can I use a single if statement to check multiple fields for a value being present?
if "pass" in [field1] or "pass" in [field2] or "pass" in [field3] {
Is it possible to reference the field(s) that match later on run a filter on the field?
No.
So I would have to write something like?
filter {
if "pass" in [field1] {
mutate {
replace => {"field1" => "Pass"}
}
}
if "pass" in [field2] {
mutate {
replace => {"field2" => "Pass"}
}
}
if "pass" in [field3] {
mutate {
replace => {"field3" => "Pass"}
}
}
}It might be possible to use add_field to build a string containing the three fields as key=value pairs, then use grok to do a match for SOMEPATTERN=Pass, then a replace based on the value captured by grok.
But it will make your eyes bleed.
lol, just your explanation melts my brain. I think the deciding factor would be, which method can be processed faster.
Thankfully it does not work. I can get a field name into a field called whichone, but I cannot get the left side of a mutate/replace to reference it.
BTW '"pass" in [field1]' is almost certainly not what you want. Are you looking for '"[field1] =~ "pass"', perhaps?
My field(s) SHOULD have one of two values, pass or fail. Unfortunately, some of the data that gets ingested also has Pass. This throws off visualizations, where for example, pie graphs have three slices instead of two.
So mutate/lowercase would fix your issue?
Yes.....yes it would.....lol. Thanks.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.