Logstash replace null values

Here is how to overwrite null values with a ruby filter. It is pretty handy if want some meaningful values instead of dealing with null values.


	beats {
		port => 5044
	}
	grok {
		match => { "message" => "(%{TIMESTAMP_ISO8601:logdate})? %{WORD:field1} %{WORD:field2}" }
	}
			
	ruby {
		code => "event['field1'] ='empty' if event['field1'] == nil; 
				 event['field2'] ='empty' if event['field2'] == nil;"
	}

	output {
		stdout {codec => rubydebug}
		elasticsearch {
				hosts => ["localhost:9200"]
		}
	}

beats {

port => 5044

}

grok {

match => { "message" => "(%{TIMESTAMP_ISO8601:logdate})? %{WORD:field1} %{WORD:field2}" }

}

ruby {

code => "event['field1'] ='empty' if event['field1'] == nil;

event['field2'] ='empty' if event['field2'] == nil;"

}

output {

stdout {codec => rubydebug}

elasticsearch {

hosts => ["localhost:9200"]

}

This entry was posted in Uncategorized and tagged on March 20, 2017

Logstash replace null values

Recent Posts

Categories