Reputation: 664
Logstash filter that drops events when something is null
So I wrote a filter to drop any event that has a certain field with a value of null:
filter {
if[type] == "flow" and [packet_source][ip] == "" {
drop { }
}
}
However, this does not work. Does anyone have any idea why? The names of the parameters are correct
Logstash version 5.2
Upvotes: 0
Views: 1861
Answers (2)
Reputation: 9434
Adding to @cattastrophe's answer, try this as well:
if "flow" in [type] and "" in [packet_source][ip]{
drop { }
}
AND
if[type] == "flow" and [packet_source][ip] == 'null'{ <-- please try with double quotes around null as well
drop { }
}
Upvotes: 1
Reputation: 291
Your filter is checking that [packet_source][ip] == "" exists and is not null.
Not sure what [type] == "flow" is, but I think you want
filter {
if[type] == "flow" and ("" not in [packet_source][ip]) {
drop { }
}
}
You can also use !("" in [packet_source][ip]) or !([packet_source][ip] == "")
However, per the documentation, there’s currently no way to differentiate between a field that doesn’t exist versus a field that’s simply false.
You can reference: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html
Upvotes: 4
Related Questions
- Remove Field from event by pattern
- How to filter out records based on one param from one index in logstash
- Logstash ignoring multiple date filters
- Not able to drop event where grok filter does not match, logstash, elastic search
- How to remove all fields with NULL value in Logstash filter
- Drop log messages containing a specific string
- Logstash Filter on Specific Values
- Remove an event field and reference it in Logstash
- Logstash drop filter for event
- How to remove an event from logstash?