Removing GREEDYDATA from Filter leaves empty "curly brace" at result?

samyo · March 14, 2019, 10:53am

hello Folks,
i have following issue, i am using Grok filter with GREEDYDATA wich i want to remove(drop it of) out of my result, this is what i used , but at result it is still giving me an empty curly brace {} wich i do not want to get it in my Result,
logfile example,
abcdefg Final Hello

i want to get as result just Hello, nothing else, see my Filter,

grok {
match => [ "message" , "%{GREEDYDATA} Final %{WORD:word}"]
}
mutate {remove_field => ["message","tags","host',"@timestamp","@version"]}

At Result it should give me just
{"word" : "Hello"}
but it gives me as follow,
{}
{"word" : "Hello"}

How can i remove this empty "{}"
thx.

Badger · March 14, 2019, 12:42pm

Are you saying that logstash produces that result? Is that the output from a rubydebug codec? Which version are you running?

samyo · March 14, 2019, 2:17pm

that is my all output about, i am using losgstash-6.3.1 version,
output {
file {
path => "C:\Users\samyo\Desktop\ELK\outputtest.log"
codec => line
}
}
i did not use the rubydebug .
the empty {} was full with "message , "@version", "host" etc, wich i deleted with mutate filter.
after deleting those , it stills print me an empty {} as result , how can i remove it from end result.

Badger · March 14, 2019, 3:48pm

The empty {} represents an event from which you have removed all the fields. If you want to ignore lines that do not match the grok filter you could use

if "_grokparsefailure" in [tags] { drop {} }

after the grok filter.

samyo · March 15, 2019, 7:50am

thank you Badger , it works , you are the best .
thx .

system · April 12, 2019, 7:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.