Kv: empty field is saved

Adam_Szabo · June 16, 2017, 7:42am

I have a log source which has messages where the fields are in the fieldName='fieldValue' format.

I use the kv filter to parse it, and trim it by the apostrophes.

I noticed, however, that the empty fields are saved to Elasticsearch.
For example a field like authLevel=''
is saved as "authLevel": ""

As far as I know, empty values are not saved in Elaticsearch.
(And for another log source of mine it works fine and empty values are not saved. However, there I use Grok.)

If a field has no values, how is it stored in an inverted index?

That’s a trick question, because the answer is: it isn’t stored at all.
Dealing with Null Values | Elasticsearch: The Definitive Guide [2.x] | Elastic

This is the kv filter I use:
kv {
exclude_keys => [ "transferId" ]
trim_value => "'"
}

Why are the empty fields saved if I use kv?

magnusbaeck · June 19, 2017, 5:37am

This is more of an Elasticsearch question so you might get better answers in that group.

I think you are comparing apples to oranges. The documented you referenced talks about how different field values are represented in ES's inverted index, but you seem to expect that the fields won't be included in the documents when you later retrieve them. That's not the case. You'll retrieve the documents as you stored them.

system · July 17, 2017, 5:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to don't save empty fields in elastic search? Elasticsearch	2	553	November 28, 2019
Updating field that is an empty string Elasticsearch	6	836	May 17, 2022
Fields splitting from kv filter not containing blank values Logstash	3	383	January 9, 2020
Disapearing fields during kv parsing Elasticsearch	2	266	December 29, 2021
KV filter in logstash 7.2.0 doesn't store a key having empty value Logstash	2	449	August 30, 2019

Kv: empty field is saved

Related topics