True/false value form filebeat is ignored in logstash

Hi,

I have a filebeat parameter called "keep_message", where the value should be true or false. In filebeat, it is configured like that:

  paths:
    - c:\temp\ssis.txt
  
  fields_under_root: true
  fields:
    keep_message: true

The purpose of this parameter is to delete or not the original message from the document, however doesn't matter what value I put there (true or false), the message is deleted and based on the tags, it always falls into the true condition.
The default value should be false. Here is how I configured logstash:

	mutate { add_tag => ["debug_tag_before_keep_message_1"] }
	if !("true" in [keep_message]) {
		mutate { add_tag => ["debug_tag_inside_if_keep_message_2"] }
		mutate {
			remove_field => [ "message" ]
		}
	}
	else {
		mutate { add_tag => ["debug_tag_inside_else_keep_message_3"] }
	}

However, when I run the process, the message is always removed, and I get the following tags:

        [0] "debug_tag_before_keep_message_17",
        [1] "debug_tag_inside_if_keep_message_18"

I tried different condition combinations, but none of them worked, like:

	if !('true' in [keep_message]) {
	if ([keep_message] != 'true') {
	if ([keep_message] != "true") {

Also, I can see that the proper value is properly sent to logstash:

        "keep_message" => true

Any idea on what could be wrong? Any help will be more then welcome and appreciated.

Thanks,
Rob

keep_message is a boolean, not a string (there are no quotes around it). Try

if ! [keep_message] ...
1 Like

Hey @Badger, you nailed it (again!).

Thanks a lot. Really appreciate.

Rob.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.