0

So I wrote a filter to drop any event that has a certain field with a value of null:

 filter {
    if[type] == "flow" and [packet_source][ip] == "" {
            drop { }
    }
}

However, this does not work. Does anyone have any idea why? The names of the parameters are correct

Logstash version 5.2

baudsp
  • 4,076
  • 1
  • 17
  • 35
BenjaFriend
  • 664
  • 3
  • 13
  • 29

2 Answers2

4

Your filter is checking that [packet_source][ip] == "" exists and is not null.

Not sure what [type] == "flow" is, but I think you want 

filter {
  if[type] == "flow" and ("" not in [packet_source][ip]) {
    drop { }
  }
}

You can also use !("" in [packet_source][ip]) or !([packet_source][ip] == "")

However, per the documentation, there’s currently no way to differentiate between a field that doesn’t exist versus a field that’s simply false.

You can reference: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html

cattastrophe
  • 291
  • 1
  • 5
  • Thank you! I got confused by a couple other forum posts that I saw, but what you said there works. `[type] == "flow" ` Is netflow data collected by [Packetbeat](https://www.elastic.co/products/beats/packetbeat) – BenjaFriend Mar 01 '17 at 15:54
1

Adding to @cattastrophe's answer, try this as well:

if "flow" in [type] and "" in [packet_source][ip]{      
    drop { }        
}

AND

if[type] == "flow" and [packet_source][ip] == 'null'{ <-- please try with double quotes around null as well
        drop { }        
}
Kulasangar
  • 9,046
  • 5
  • 51
  • 82