Logstash mutate - convert empty string to null

selivan · June 29, 2017, 10:11am

There is a field in log file, which contains IP address or empty string if IP address is not available.
Elasticsearch index has mapping, that maps "ip" type to this field. When field value is empty string, logstash can not save data to index:

[WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch
...
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [doc.ip]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'' is not an IP string literal."}}}}}

To fix this, I need to convert empty string to null with logstash. This doesn't work:

if [doc][ip] == "" {
  mutate {
    replace => { "[doc][ip]" => null }
  }
}

Because it converts value to string "null". "nil" doesn't work either.

What is correct syntax to convert field to null value?

magnusbaeck · June 29, 2017, 10:20am

The Logstash configuration language doesn't support null values. You'll have to use a ruby filter. Or could you just remove the field?

paz · June 29, 2017, 10:25am

Why not just delete the field? It's more straightforward than trying to force null values from the logstash side.

if [doc][ip] == "" {
  mutate {
   remove_field => ["[doc][ip]"]
  }
}

You could also take a look on this mapping setting

selivan · June 29, 2017, 11:04am

Thank you, @paz and @magnusbaeck. Removing the field instead of setting it to null solves the problem

system · July 27, 2017, 11:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to write NULL value for a field Logstash	2	7746	July 6, 2017
Can't convert the string datatype to ip Logstash	3	2756	February 9, 2018
Failing to index geo_shape data into Elasticsearch from Logstash (nil values) Logstash	3	411	May 24, 2022
Mutate Gsub not working Logstash	15	2744	June 26, 2018
Null value causing errors? Elasticsearch	4	2358	July 5, 2017

Logstash mutate - convert empty string to null

Related Topics