Hi All,
I am trying to remove message for few service tags, but I am facing below issue.
Below is not working
if [SERVICE] in ["GET", "UPDATE"] {
mutate { remove_field => ["message"] }
}
Below is working
if "GET" not in [SERVICE] and "UPDATE" not in [SERVICE]{
mutate { remove_field => ["message"] }
}
Can someone please suggest what is wrong with the one which is not working
The first is an array membership test. It is equivalent to
if [SERVICE] == "GET" or [SERVICE] == "UPDATE" { ...
The second does substring matches. If "GET" appears anywhere in the [SERVICE] field then "GET" not in [SERVICE] is false. In other words it is
if [SERVICE] !~ /GET/ and [SERVICE] !~ /UPDATE/ { ...
which is very different to the first.
Hi @Badger ,
Thanks for your reply, yes service name is exact GET and UPDATE only. I missed not in the first statement while posting this question.
For any other service message should be removed , right ? but it is not getting removed this way.
if [SERVICE] not in ["GET", "UPDATE"] {
mutate { remove_field => ["message"] }
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.