Mahith Geallapally
Reputation: 21
Use non whitelisted fields in Logstash if statement
I have a logstash configuration where I used prune to whitelist few fields.
prune {
whitelist_names => ["id","name"]
}
The problem is, I need to use an if condition in the output on a field other than id field, eg: "type". But since I have not whitelisted "type", the if condition is not working.
if ( [type] in ["abc","efg"] ) {
elasticsearch {
action => "update"
hosts => [ "localhost:9200" ]
index => "index"
document_id => "%{id}"
doc_as_upsert => true
}
}
How can I use non whitelisted field in if condition?
Upvotes: 0
Views: 250
Answers (1)
glenacota
Reputation: 2547
Before your prune filter, add a mutate filter to copy the value of the field you're going to delete (type) into a new metadata field. Then, prune. Then, use the new metadata field in your output condition.
...
filter {
...
mutate {
add_field => {
"[@metadata][type]" => "%{type}"
}
}
prune {
whitelist_names => ["id","name"]
}
...
}
output {
if [@metadata][type] in ["abc","efg"] {
elasticsearch {
action => "update"
hosts => [ "localhost:9200" ]
index => "index"
document_id => "%{id}"
doc_as_upsert => true
}
}
}
Upvotes: 2
Related Questions
- Logstash add dynamic whitelist names based on a filed value
- How to add condition to my logstash grok filter?
- elasticsearch filter not working in logstash
- logstash Custom Log Filter for Apache Logs
- Only allow fields that are in the index template
- Configuring Logstash to only include certain fields
- Logstash Filter on Specific Values
- Dealing with "null" fields and add_field directive in logstash
- How to set field in Logstash as "not_analyzed" using Logstash config file
- how to make two condition check in logstash and write better configuration file