Logstash, split field and remove field

SBH · March 27, 2020, 1:02pm

Hi,

working on my logstash conf file.

I have a remove field like this:

remove_field => ["[data][tasks][data]"]

And then i have a split field like this:

split {field => "[data][tasks]"}

But when i see it in Discover, the Data.tasks.Data is there again.

It seems like i'm not removing it on the correct event.

I noticed that if i have the split first, it works, but i want the data to be removed immediatly, so that the data i am working on after, is clean, and the split doesn't have to handle that much data.

Regards

Badger · March 27, 2020, 3:52pm

Field names are case sensitive. data.tasks.data and Data.tasks.Data are different fields.

Also, if [data][tasks] is an array then that remove_field will not do anything. You need to include the array index in it, or else do something like this.

SBH · March 30, 2020, 8:00am

It is lowercase all the way so no problem. That is not the problem. How do i include array index, that can actually vary?

Badger · March 30, 2020, 3:09pm

Then use ruby, like the code I linked to.

system · April 27, 2020, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.