This is what I am trying:
# if geoip city and region are both blank, replace region value with country value
# this is to avoid double ?s in alerts for example "?,?"
if [geoip][city_name] == "?" and [geoip][region_name] == "?" {
mutate {
replace => { "[geoip][region_name]" => "%{[geoip][country_name]}" }
}
}
However the "?" in geoip.region_name is still there, not replaced. Any idea why?
Hi,
The issue might be due to the condition in your if statement. In Logstash, the == operator checks for exact equality. If the fields [geoip][city_name] and [geoip][region_name] contain any additional whitespace or different casing, the condition will not be met, and the mutate filter will not be applied.
Or you should check for their existence before trying to access their values.
Regards
Another possiblity is that it is being replaced by the country_name, which is also set to "?".
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.