所以我编写了一个过滤器来删除任何具有某个值为null的字段的事件:
filter {
if[type] == "flow" and [packet_source][ip] == "" {
drop { }
}
}
然而,这不起作用。有谁知道为什么?参数名称正确
Logstash版本5.2
答案 0 :(得分:4)
您的过滤器正在检查[packet_source][ip] == ""是否存在且不为空。
不确定[type] == "flow"是什么,但我认为你想要
filter {
if[type] == "flow" and ("" not in [packet_source][ip]) {
drop { }
}
}
您还可以使用!("" in [packet_source][ip])或!([packet_source][ip] == "")
但是,根据文档,目前无法区分不存在的字段与完全错误的字段。
您可以参考:https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html
答案 1 :(得分:1)
添加@ cattastrophe的答案,也可以试试这个:
if "flow" in [type] and "" in [packet_source][ip]{
drop { }
}
和
if[type] == "flow" and [packet_source][ip] == 'null'{ <-- please try with double quotes around null as well
drop { }
}