Hi, I have a question regarding updating and removing logstash. My situation is, that I am collecting logs using API, for the first time data is being shipped into logstash, the "GeoIP" is empty space, but it will have updated/removed in the future.
If there are any changes for the "GeoIP" field, I already set it will store date and time into the field "Whois_geoip_changes" using the below code, and it's working as shown in the picture.
if [Geoip] =~ /.+/ {
mutate {
replace => { "Whois_geoip_changes" => "%{@timestamp}" }
}
}
But the problem now is, that the @datetime for other fields will keep on changing even though the data is still the same. I would like to know, is it possible to
-
if data (example Nameserver field) removes, the "Whois_nameservers_changes" date will still show the date on when is the data being removed.
-
if data (example Nameserver field) did not have any changes or updates, the "Whois_nameservers_changes" (@datetime) date will still remain the same.