This is what I am trying:
# if geoip city and region are both blank, replace region value with country value
# this is to avoid double ?s in alerts for example "?,?"
if [geoip][city_name] == "?" and [geoip][region_name] == "?" {
mutate {
replace => { "[geoip][region_name]" => "%{[geoip][country_name]}" }
}
}
However the "?" in geoip.region_name is still there, not replaced. Any idea why?