Hi
I'm trying to split a particular field in CloudTrail log and this is my filter pattern
filter{
json{
source => "message"
}
split{
field => "resources"
add_tag => "splitted"
} }
This is working when the field named "resources" exists in the logs. When the logs doesn't contains this field, getting an error [WARN ][logstash.filters.split ][main] Only String and Array types are splittable. field:resources is of type = NilClass.
I need help to rewrite the filter pattern to handle this exception and so to avoid getting the above given error log.
So you could execute the filter inside a conditional block that checks the existence of resources field
if [resources] {
split { ... }
}
Yup that worked. Thanks a bunch!!!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.