Hi,
I have heartbeat which pushed the data to 5044 through which logstash consumes.
I want to index only if monitor.status is down. I am using tag heartbeat for differentiating the various beat input.
My data:
{
"_index": "heartbeat-2022.04.26",
"_type": "_doc",
"_id": "18",
"_version": 1,
"_score": null,
"fields": {
"monitor.status": [
"down"
],
"monitor.name.text": [
"prasanth"
],
i tried with prune but it is not whitelisting the nested field
Hi,
If i understand corretly, if monitor.status is not equal to down, then you don't send data.
Then use drop filter in a conditionnal like this:
if [monitor.status][0] != "down" {
drop { }
}
Cad.
hey cad,
Thanks, Tried that but it seems it dropping all data to the index
well that's what you mean when you ask us previously :
logstash does not use the same syntax as kibana and Elasticsearch to reference nested fields. You may want if [monitor][status][0] != "down" {
Even it's dropping down status
hi ...
if [monitor][status][0] != "down" { does not worked but if [monitor][status] != "down" {
worked.
Thanks both
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.