Logstash Json remove nested properties that have empty field name

david.preston · January 28, 2021, 2:30pm

Hi,

Are there any "out of the box" logstash functions for removing json properties that have empty field names.

e.g.
{
    "event":  {
         "data":  {
                "" : "some value"
         }
    }
}

I'm not able to reference this field to remove it and elastic wont accept it as a log.

I've tried:

mutate {
     remove_field => ["[event][data][]" ]
 }

but it needs a name in the last part of
[event][data][ ] of property reference
I've tried also from ruby code too, but also needs a name in property reference.

event.remove('[event][data][]')

I've also tried replacing in the "message" before parsing to json - but i couldn't get the regex to match ("":"").

e.g.

mutate {
  gsub => [ "message", '"":"",', ""]
}

I cant remove the parent object - because there are other properties in there that are valid.

Thanks

david.preston · January 28, 2021, 4:40pm

I've got a basic solution similar to this:

ref = "[event][properties][data]"
obj = event.get(ref)
if obj
  if obj.has_key?("")     
       obj.delete("")
       event.set(ref, obj)
  end
end

system · February 25, 2021, 4:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to remove fields with regex from json? Logstash	6	2616	January 16, 2018
The JSON filter can extract empty field names, which are then unusable by Logstash Logstash	1	351	May 31, 2021
Remove part of field name from json inputted fields Logstash	9	3758	July 6, 2017
Remove dynamic nested field in JSON Logstash	2	654	November 9, 2018
Remove json object from nested log Logstash	1	449	March 14, 2023

Logstash Json remove nested properties that have empty field name

Related Topics