Logstash Json remove nested properties that have empty field name

david.preston · January 28, 2021, 2:30pm

Hi,

Are there any "out of the box" logstash functions for removing json properties that have empty field names.

e.g.
{
    "event":  {
         "data":  {
                "" : "some value"
         }
    }
}

I'm not able to reference this field to remove it and elastic wont accept it as a log.

I've tried:

mutate {
     remove_field => ["[event][data][]" ]
 }

but it needs a name in the last part of
[event][data][ ] of property reference
I've tried also from ruby code too, but also needs a name in property reference.

event.remove('[event][data][]')

I've also tried replacing in the "message" before parsing to json - but i couldn't get the regex to match ("":"").

e.g.

mutate {
  gsub => [ "message", '"":"",', ""]
}

I cant remove the parent object - because there are other properties in there that are valid.

Thanks

david.preston · January 28, 2021, 4:40pm

I've got a basic solution similar to this:

ref = "[event][properties][data]"
obj = event.get(ref)
if obj
  if obj.has_key?("")     
       obj.delete("")
       event.set(ref, obj)
  end
end

system · February 25, 2021, 4:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Removing nested fields with empty field names Logstash	4	2927	August 1, 2018
Removing parent fields and keeping nested fields of JSON Logstash	3	1525	August 2, 2017
How to remove fields with regex from json? Logstash	6	2626	January 16, 2018
The JSON filter can extract empty field names, which are then unusable by Logstash Logstash	1	351	May 31, 2021
Remove fields from nested json Logstash	3	3513	December 17, 2018

Logstash Json remove nested properties that have empty field name

Related topics