Logstash remove after split

tamilarasanbravo · November 25, 2020, 7:12am

Hi Team,

I have configured a logstash http which receives JSON data. As part of the logstash filter I split a json field/value of array into 5 different key values. i.e.,

original Field

commits : { author : TJ
email: tj@email.com
added: adding details
modified: asadasd
}

Got modified into

commits.author: tj
commits.email : tj@email.com
commits.added : adding detail
commits.modified : asasas

Now, after it got split using split filter I am trying to delete (commits.modified) but I am unable to do so.

Pasting my current filter for further reference.

filter {
    split { field => "commits" }
    mutate { remove_field => [ "[commits.modified]" ] }
}

Looking forward to any help.

Regards
TJ

Badger · November 25, 2020, 1:45pm

If [modified] is a field inside the [commits] object then in logstash that would be referred to as [commits][modified]. [commits.modified] would refer to a field that contains a period in its name.

If [commits] is a hash then I would expect split to log an error. It operates on arrays and strings, not hashes.

system · December 23, 2020, 1:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.