Unable to add empty field with Logstash

Elastic Stack Logstash
1

Hello community!

I'm trying to add empty field into Logstash parsers like this:

mutate {
add_field => {"comments" => {} }
}

this is my mapping in Kibana:

{
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
    "ecs_version": "8.3.1"
  },
  "template": {
    "mappings": {
      "properties": {
        "comments": {
          "type": "object"
        }
      }
    }
  }
}

but it just do not appear in Kibana - even under json view _source. Any idea what am I doing wrong? Thanks in advance!

output file:

output {
  if [type] == "office365" {
    elasticsearch {
      index => "report-%{[PK]}"
      ecs_compatibility => v8
      hosts => "elastic:9200"
    }
  }
}

input

preprocess file:

filter {
  if [type] == "office365" {
    # drop any comments
    if [message] =~ /^#/ {
      drop {}
    }

    # lowercase all true/false values so downstream picks them up as booleans
    mutate {
      gsub => [
        "message", '(?i)""true""', 'true',
        "message", '(?i)""false""', 'false',
        "message", '(?i)"true"', '"true"',
        "message", '(?i)"false"', '"false"'
      ]
    }
  }
}

postprocess file:

filter {
  if [type] == "office365" {
    # enrich the useragent field
    if [useragent] {
      mutate {
        # remove quotes from quoted string
        # convert + sign to space
        gsub => [
          "useragent", "\"", "",
          "useragent", "\+", " "
        ]
      }
      useragent {
        source => [useragent]
        target => [useragentinfo]
      }
    }
  }
}
2

That doesn't do anything. Not sure why. Try

ruby { code => 'event.set("comments", {})' }
3

Awesome! It's working exactly I needed. Would you mind bit elaborate on it to help me understand it? Thanks in advance

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.