Logstash, split field and remove field

SBH · March 27, 2020, 1:02pm

Hi,

working on my logstash conf file.

I have a remove field like this:

remove_field => ["[data][tasks][data]"]

And then i have a split field like this:

split {field => "[data][tasks]"}

But when i see it in Discover, the Data.tasks.Data is there again.

It seems like i'm not removing it on the correct event.

I noticed that if i have the split first, it works, but i want the data to be removed immediatly, so that the data i am working on after, is clean, and the split doesn't have to handle that much data.

Regards

Badger · March 27, 2020, 3:52pm

Field names are case sensitive. data.tasks.data and Data.tasks.Data are different fields.

Also, if [data][tasks] is an array then that remove_field will not do anything. You need to include the array index in it, or else do something like this.

SBH · March 30, 2020, 8:00am

It is lowercase all the way so no problem. That is not the problem. How do i include array index, that can actually vary?

Badger · March 30, 2020, 3:09pm

Then use ruby, like the code I linked to.

system · April 27, 2020, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Transform each array item (nested object) in a new document - Splitting a field before removing it Logstash	8	1785	March 25, 2019
Logstash remove after split Logstash	2	742	December 23, 2020
Remove objects in arrays Logstash	2	454	November 28, 2018
Removing fields with certain value (or if mapping is not found) from the output Logstash	8	2295	June 12, 2019
Mutate remove_field not working for JSON field Logstash	7	6998	July 6, 2017

Logstash, split field and remove field

Related topics