logstash check if field exists

logstash logstash-configuration
spuder picture spuder · May 18, 2015 · Viewed 76.4k times · Source

I have log files coming in to an ELK stack. I want to copy a field (foo) in order to perform various mutations on it, However the field (foo) isn't always present.

If foo doesn't exist, then bar still gets created, but is assigned the literal string "%{foo}"

How can I perform a mutation only if a field exists?

I'm trying to do something like this. 

if ["foo"] {
  mutate {
    add_field => "bar" => "%{foo}
  }
}

Answer

Ofri Raviv picture Ofri Raviv · May 18, 2015

To check if field foo exists:

1) For numeric type fields use:

 if ([foo]) {
    ...
 }

2) For types other than numeric like boolean, string use:

if ("" in [foo]) {
    ...
}

Related questions

Logstash configtest

I ran service logstash configtest but error given was: logstash: unrecognized service I was able to run logstash service individually but not with "configtest". In etc/logstash/conf.d/ I created logstash.conf file where consist of code as present …

Read More
Logstash SQL Server Data Import

I want to import data in ElasticSearch using Logstash using JDBC SQL Server as input but I am getting error class path is not correct. Anybody know how to connect using Logstash for correct location for sqljdbc FILE WITH CONFIG …

Read More
Sending data to logstash via tcp

I'm running into some issues sending log data to my logstash instance from a simple java application. For my use case, I'm trying to avoid using log4j logback and instead batch json events on separate lines through a raw …

Read More