Unable to remove the field

soujanya · August 4, 2015, 9:16am

Hi all,
I'm new to the Kibana. I'm trying to remove the field based on some condition. But not getting how to do..
I've used the below code.

filter {
grok {
break_on_match => false
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}] %{LOGLEVEL:loglevel} %{GREEDYDATA:log}|%{GREEDYDATA:log1}"}
}
if[log] =~ "(?i) applicable" {
grok{
remove_field => ["log"]
}
}
}

If log contains keyword "applicable", log field has to be removed furtherly.Please anyone help me out in resolving the issue. Any help would greatly appreciated.

Thank you in advance.

magnusbaeck · August 4, 2015, 9:53am

if[log] =~ "(?i) applicable" {

As documented, the correct syntax is:

if [log] =~ /(?i) applicable/ {

Secondly, the grok filter's remove_field option will only fire when the grok filter is successful, and it never is because you're not supplying any expressions to match against. Use the mutate filter instead:

mutate {
  remove_field => ["log"]
}

Topic		Replies	Views
Compare fields with an external file Logstash	7	842	April 12, 2019
Can't remove fields in logstash 5.2.2 Logstash	5	805	April 12, 2017
How to remove the fields Logstash	4	809	December 29, 2021
How to remove a field Logstash	2	428	July 6, 2017
Issue with remove_field Logstash	6	1618	February 24, 2017

Unable to remove the field

Related topics