Im having trouble understanding what does this logstash filter do:
if ("" in [somefield1][somefield2]){
drop{}
}
what does "" in the field mean?
If the field value is the empty string [somefield1][somefield2] = "", drop the message or better to say the event. Nil is something else.
It is "in" the string. Does that mean that any string will be able to be dropped?
in can be used to do two things, one is array membership, the other is detecting substrings of a string. Any string will contain the substring "", so yes, this is trying to drop all strings. It will also drop any string arrays that contain an empty string:
input {
generator {
count => 1
lines => [
'{ "a": "Hello, world!" }',
'{ "a": [ "", "a" ] }',
'{ "a": [ 4, 5 ] }',
'{ "a": 42 }',
'{ "a": false }',
'{ "a": null }'
]
codec => json
}
}
output { stdout { codec => rubydebug { metadata => false } } }
filter {
mutate { remove_field => [ "event", "host", "log" ] }
if "" in [a] { drop {} }
}
will only output the last four events.
3 Likes
Thanks for the reply,
would it be the same if i do
if ([somefield1][somefield2]){
drop{}
}
Its essentially the same thing right? (If i know that the incoming input is in the string form)
Not at all, that will drop anything where the field is not equal to nil, or, if it is a boolean field, it contains true. It would drop five of the six of the events in my example (it does not drop { "a": false }.
1 Like