creed
Reputation: 182
Logstash checking for field existence in nested json
I want to check for the MD5 field existence in Logstash 6.4 filter.
"files": [
{
"SHA256": "DA3662E34C66D770F28D23A26980B31245753049E55B0348D51B22524C00EE1C",
"filesize": "8732",
"MD5": "0551229E1E1180F5BF5513222C75412A"
},
{
"SHA256": "ADA57125645BE67E7DB885D4DF8EBBC46B7CA8F54258EEC510ECDCC9350FCB43",
"filesize": "433433",
"MD5": "ADF322D0711E22BDFAA60E3503621292"
}]
First tried filter:
filter {
if ("" in [files][MD5]) {
mutate {
add_field => { "md5_num" => "50"}
}
}
}
Second tried filter:
filter {
if [files][MD5]{
mutate {
add_field => { "md5_num" => "50"}
}
}
}
How come any of those two filters do not work as expected?
Upvotes: 2
Views: 4280
Answers (1)
baudsp
Reputation: 4110
The issue is that the file contains a json array. So you'd need to use the index of an element of the array for this to work.
if [files][0][MD5]{
mutate {
add_field => { "md5_num" => "50"}
}
}
Upvotes: 3
Related Questions
- Create nested object if not exists in a Logstash pipeline
- Filtering JSON/non-JSON entries in Logstash
- logstash check if field exists
- Logstash - import nested JSON into Elasticsearch
- how to apply if condition on fields of json contained in a log
- Not able to Parse Nested JSON in Logstash
- How to process json in logstash
- Logstash - Parsing and mutating JSON file
- Parse nested json in logstash
- Logstash Checking Existence of & Parsing Sub-Field