Ok, so looks like I can remove completely and it resolves the issue. I guess im still curious how/why it gets pulled in as a nested field instead of empty string.
Finally, my last question is how would i remove that field ONLY when it is empty? Since it isn't an empty string field and instead an empty nested field the following hasn't worked:
this one fails to fulfill condition:
if "" in [entry][ApplId]{
mutate {
remove_field => [ "[entry][ApplId]" ]
}
}this one actuates EVERY time:
if [entry][ApplId][]{
mutate {
remove_field => [ "[entry][ApplId]" ]
}
}so is there a way i can write a condition which will remove the field only when it is empty, and not all or nothing? When there is information presented in ApplId i would prefer to keep that field.