Logstash - Checking if a value or field exist in an array within an object

edster · July 25, 2019, 5:46pm

I am trying to check if a field exists within a pair in an array inside of a larger object. I've tried to just add the field as is to make sure i was using the proper syntax and it works. I've done

mutate {
add_field => ["fieldname","%{[objectName][arrayName][#][fieldName]}"]
}

This creates the new field while adding the proper field. However, when I attempt to check the if the field exists I either get nothing or I get an error about the syntax.

if ! [%{[objectName][arrayName][#][fieldName]}] {
add_field => ["fieldname","%{[objectName][arrayName][#][fieldName]}"]
}
else {
add_field => ["fieldname",""]
}

For the if ! I've also changed the field to:

%{[objectName][arrayName][#][fieldName]} : Gives syntax error
"%{[objectName][arrayName][#][fieldName]}" : Gives syntax error
[objectName][arrayName][#][fieldName] : gives nothing when there is and at others returns [objectName][arrayName][#][fieldName]

edster · August 5, 2019, 3:16pm

Got it to pull the appropriate value from the field, however, when it pulls the value even though the value doesnt exist it puts the literal name as the field value.

Badger · August 5, 2019, 3:19pm

That is expected. If field [foo] does not exist then

mutate { add_field => { "someField" => "%{foo}" } }

will set [someField] to "%{foo}".

edster · August 5, 2019, 3:25pm

Is there anyway to set it to "" if there is no value. I added an else to that statement but it didn't seem to do anything just replaced it with "%{foo}"

Badger · August 5, 2019, 4:09pm

There is no elegant solution. There is an issue on github that talks about changing the syntax to enable defaults, but no traction on it in the last few years.

You could use

mutate { gsub => [ "someField", "^%{.*}$", "" ] }

system · September 2, 2019, 4:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.