Null error with greater-than comparison on an integer field

Elastic Stack Logstash
1

Hello All,
I am getting an error which suggests that my if-statement is trying to do a > (greater-than) expression comparison against a null value. When I comment out the if-statement everything works as expected.
Here is the

filter {
 if [netflow][fw_ext_event] != '' {

   mutate { convert => {"[netflow][fw_ext_event]" => "integer" }}

   ######## This does not work######
   #if [netflow][fw_ext_event] > 2000 {
   #  mutate { add_field => { "netflow.fw_ext_event_name" => "flowDeleted"} }
   #}
   ########

   if [netflow][fw_ext_event] == 1001 {
   #} else if [netflow][fw_ext_event] == 1001 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedByIngressACL"} }
   } else if [netflow][fw_ext_event] == 1002 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedByEgressACL"} }
   } else if [netflow][fw_ext_event] == 1003 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedICMP"} }
   } else if [netflow][fw_ext_event] == 1004 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedNonSYNPacket"} }
   }

 }
}

Here is the error message:
java.lang.NullPointerException: null

[ERROR][org.logstash.execution.WorkerLoop] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash.
java.lang.NullPointerException: null

netflow.fw_ext_event is an integer, but I still convert it to an integer as a test to validate that I am not doing a greater-than comparison against a text field.
image

Can anyone please provide some insight into why I am getting the null error?
Thank you!!

2

I think the problem is that the field [netflow][fw_ext_event] does not exist. I notice that when you add the name you use a period in the name and do not add a field to the netflow object. Should you be referring to netflow.fw_ext_event?

if [netflow][fw_ext_event] != '' {

If the field does not exist then the left hand side is nil, which is not equal to an empty string. The normal way to test for existence is just

if [netflow][fw_ext_event] {
3

Thank you. That worked, here is my full filter, for reference:

if [netflow][fw_ext_event] {

   if [netflow][fw_ext_event] >= 2000 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "flowDeleted"} }
   } else if [netflow][fw_ext_event] == 1001 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedByIngressACL"} }
   } else if [netflow][fw_ext_event] == 1002 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedByEgressACL"} }
   } else if [netflow][fw_ext_event] == 1003 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedICMP"} }
   } else if [netflow][fw_ext_event] == 1004 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedNonSYNPacket"} }
   }

}
4

You might consider replacing the four == tests with a translate filter. With four tests if else is OK, but if it gets bigger I would definitely consider using translate.

5

I replaced this:

if [netflow][fw_ext_event] {
   if [netflow][fw_ext_event] >= 2000 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "flowDeleted"} }
   } else if [netflow][fw_ext_event] == 1001 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedByIngressACL"} }
   } else if [netflow][fw_ext_event] == 1002 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedByEgressACL"} }
   } else if [netflow][fw_ext_event] == 1003 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedICMP"} }
   } else if [netflow][fw_ext_event] == 1004 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "deniedNonSYNPacket"} }
   }
 }

With this:

if [netflow][fw_ext_event] {
   if [netflow][fw_ext_event] >= 2000 {
     mutate { add_field => { "netflow.fw_ext_event_name" => "flowDeleted"} }
   } else {
      translate {
         #field => "netflow.fw_ext_event"
         field => "[netflow][fw_ext_event]"
         #destination => "netflow.fw_ext_event_name"
         destination => "[netflow][fw_ext_event_name]"
         dictionary => {
               #"0" => "undefined(0)"
               "1001" => "deniedByIngressACL"
               "1002" => "deniedByEgressACL"
               "1003" => "deniedICMP"
               "1004" => "deniedNonSYNPacket"
             }
         #fallback => "UNKNOWN(%{[netflow][fw_ext_event]})"
      }
   }
}

Thank you for your guidance! Cheers!!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.