Hi everyone,
I am trying to replace empty fields instead of %{}
So i used this code:
if ! [xxevent.fw_app_id] {
mutate {
update => { "xxevent.fw_app_id" => "EMPTY" }
}
}
However, it did not replace all to "EMPTY". Is there a better way to do this?
My add_field code:
mutate {
add_field => {
"xxevent.fw_app_id" => "%{[XDRevent][fw_app_id]}"
"xxfile.name" => "%{[XDRevent][action_file_name]}"
....
What do you want with the xxevent.fw_app_id field?
a) if not exist at all to replace with a field value for instance: [XDRevent][fw_app_id]
b) if not exist at all to replace with value: EMPTY
c) if exists but is zero string "", replace with value: EMPTY
d) if exists but is NULL, replace with value: EMPTY
e) other
Can you share the json of the document in Kibana?
Is your field named xxevent.fw_app_id with a literal dot in its name or it is a json object where fw_app_id is nested under xxevent?
Those are completely different things and the way you refer to them in Logstash is different from the way you refer to them in Elasticsearch/Kibana.
The update mutation only works when the field exist
In your first snipped code you are saying if the field doesn't exist then do an update. But because the field doesn't exist, it won't do anything.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.