Here is how to overwrite null values with a ruby filter. It is pretty handy if want some meaningful values instead of dealing with null values.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
beats { port => 5044 } grok { match => { "message" => "(%{TIMESTAMP_ISO8601:logdate})? %{WORD:field1} %{WORD:field2}" } } ruby { code => "event['field1'] ='empty' if event['field1'] == nil; event['field2'] ='empty' if event['field2'] == nil;" } output { stdout {codec => rubydebug} elasticsearch { hosts => ["localhost:9200"] } } |