Hi,
My usecase i want to drop a field if it doesnt satisfy the value like
if [ServerName] ! "data-0","data-1","data-2"
drop ServerName
(i.e. I want to drop the ServerName field in an event if it doesn't have either data-0,data-1,data-2 in it.
Note: I dont want to stop the whole event i just want to drop only the ServerName field.
Thanks
I think mutate should do trick for you https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-remove_field
Thanks
Looking into it but i want to check not equal condition on 3 strings in ServerName field
if !("SERVERNAME" in ["esndata-0", "esndata-1", "esndata-2" ]) {
mutate { add_tag => "shouldexist" }
}
}
That is if SERVERNAME doesnt have either of the given strings then it should add a tag.
Is the above syntax is correct?
Thanks
Syntax not exactly correct, uncle google is your friend - this should help https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.