Logstash mutate - convert empty string to null

selivan · June 29, 2017, 10:11am

There is a field in log file, which contains IP address or empty string if IP address is not available.
Elasticsearch index has mapping, that maps "ip" type to this field. When field value is empty string, logstash can not save data to index:

[WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch
...
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [doc.ip]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'' is not an IP string literal."}}}}}

To fix this, I need to convert empty string to null with logstash. This doesn't work:

if [doc][ip] == "" {
  mutate {
    replace => { "[doc][ip]" => null }
  }
}

Because it converts value to string "null". "nil" doesn't work either.

What is correct syntax to convert field to null value?

magnusbaeck · June 29, 2017, 10:20am

The Logstash configuration language doesn't support null values. You'll have to use a ruby filter. Or could you just remove the field?

paz · June 29, 2017, 10:25am

Why not just delete the field? It's more straightforward than trying to force null values from the logstash side.

if [doc][ip] == "" {
  mutate {
   remove_field => ["[doc][ip]"]
  }
}

You could also take a look on this mapping setting

selivan · June 29, 2017, 11:04am

Thank you, @paz and @magnusbaeck. Removing the field instead of setting it to null solves the problem

system · July 27, 2017, 11:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Change "null" to null value Logstash	2	958	July 30, 2018
Replace empty field with a value Logstash	3	6352	February 7, 2018
Comparing to null in logstash Logstash	2	4080	May 11, 2018
How to write NULL value for a field Logstash	2	7768	July 6, 2017
Can't convert the string datatype to ip Logstash	3	2761	February 9, 2018

Logstash mutate - convert empty string to null

Related topics