Unable to add empty field with Logstash

Hello community!

I'm trying to add empty field into Logstash parsers like this:

mutate {
add_field => {"comments" => {} }
}

this is my mapping in Kibana:

{
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
    "ecs_version": "8.3.1"
  },
  "template": {
    "mappings": {
      "properties": {
        "comments": {
          "type": "object"
        }
      }
    }
  }
}

but it just do not appear in Kibana - even under json view _source. Any idea what am I doing wrong? Thanks in advance!

output file:

output {
  if [type] == "office365" {
    elasticsearch {
      index => "report-%{[PK]}"
      ecs_compatibility => v8
      hosts => "elastic:9200"
    }
  }
}

input

preprocess file:

filter {
  if [type] == "office365" {
    # drop any comments
    if [message] =~ /^#/ {
      drop {}
    }

    # lowercase all true/false values so downstream picks them up as booleans
    mutate {
      gsub => [
        "message", '(?i)""true""', 'true',
        "message", '(?i)""false""', 'false',
        "message", '(?i)"true"', '"true"',
        "message", '(?i)"false"', '"false"'
      ]
    }
  }
}

postprocess file:

filter {
  if [type] == "office365" {
    # enrich the useragent field
    if [useragent] {
      mutate {
        # remove quotes from quoted string
        # convert + sign to space
        gsub => [
          "useragent", "\"", "",
          "useragent", "\+", " "
        ]
      }
      useragent {
        source => [useragent]
        target => [useragentinfo]
      }
    }
  }
}

That doesn't do anything. Not sure why. Try

ruby { code => 'event.set("comments", {})' }

Awesome! It's working exactly I needed. Would you mind bit elaborate on it to help me understand it? Thanks in advance

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.