Logstash - Checking if a value or field exist in an array within an object

Elastic Stack Logstash
1

I am trying to check if a field exists within a pair in an array inside of a larger object. I've tried to just add the field as is to make sure i was using the proper syntax and it works. I've done

mutate {
add_field => ["fieldname","%{[objectName][arrayName][#][fieldName]}"]
}

This creates the new field while adding the proper field. However, when I attempt to check the if the field exists I either get nothing or I get an error about the syntax.

if ! [%{[objectName][arrayName][#][fieldName]}] {
add_field => ["fieldname","%{[objectName][arrayName][#][fieldName]}"]
}
else {
add_field => ["fieldname",""]
}

For the if ! I've also changed the field to:

  • %{[objectName][arrayName][#][fieldName]} : Gives syntax error
  • "%{[objectName][arrayName][#][fieldName]}" : Gives syntax error
  • [objectName][arrayName][#][fieldName] : gives nothing when there is and at others returns [objectName][arrayName][#][fieldName]
2

Got it to pull the appropriate value from the field, however, when it pulls the value even though the value doesnt exist it puts the literal name as the field value.

3

That is expected. If field [foo] does not exist then

mutate { add_field => { "someField" => "%{foo}" } }

will set [someField] to "%{foo}".

4

Is there anyway to set it to "" if there is no value. I added an else to that statement but it didn't seem to do anything just replaced it with "%{foo}"

5

There is no elegant solution. There is an issue on github that talks about changing the syntax to enable defaults, but no traction on it in the last few years.

You could use

mutate { gsub => [ "someField", "^%{.*}$", "" ] }