Hi,
I have a filebeat parameter called "keep_message", where the value should be true or false. In filebeat, it is configured like that:
paths:
- c:\temp\ssis.txt
fields_under_root: true
fields:
keep_message: true
The purpose of this parameter is to delete or not the original message from the document, however doesn't matter what value I put there (true or false), the message is deleted and based on the tags, it always falls into the true condition.
The default value should be false. Here is how I configured logstash:
mutate { add_tag => ["debug_tag_before_keep_message_1"] }
if !("true" in [keep_message]) {
mutate { add_tag => ["debug_tag_inside_if_keep_message_2"] }
mutate {
remove_field => [ "message" ]
}
}
else {
mutate { add_tag => ["debug_tag_inside_else_keep_message_3"] }
}
However, when I run the process, the message is always removed, and I get the following tags:
[0] "debug_tag_before_keep_message_17",
[1] "debug_tag_inside_if_keep_message_18"
I tried different condition combinations, but none of them worked, like:
if !('true' in [keep_message]) {
if ([keep_message] != 'true') {
if ([keep_message] != "true") {
Also, I can see that the proper value is properly sent to logstash:
"keep_message" => true
Any idea on what could be wrong? Any help will be more then welcome and appreciated.
Thanks,
Rob