add_field => {"ExampleFieldName" => "%{[example][jsonNested1][jsonNested2]}"}
My Logstash receives a JSON from Filebeat, which contains object example, which itself contains object jsonNested1, which contains a key value pair (with the key being jsonNested2).
If jsonNested1 exists and jsonNested2 exists and contains a value, then this value will be saved correctly in ExampleFieldName in Elasticsearch.
{
"example": {
"jsonNested1": {
"jsonNested2": "exampleValue"
}
}
}
In this case ExampleFieldName would contain exampleValue.
{
"example": {
"jsonNested1": {
}
}
}
In this case I would like ExampleFieldName to contain an empty string or no value at all (or to be not created in the first place).
But it happens that ExampleFiledName contains the string %{[example][jsonNested1][jsonNested2]}.
I already found a solution for this by checking first if the the nested key value pair exists before performing the add_field.
if [example][jsonNested1][jsonNested2] {
mutate {
add_field => {"ExampleFieldName" => "%{[example][jsonNested1][jsonNested2]}"}
}
}
This solution works, but I can't believe this is the best way to do it. I find it very strange that Logstash even saves %{[example][jsonNested1][jsonNested2]} as a string here, when the key value pair doesn't exist. I would expect it to recognize this and to simply not save any value in this case.
The if statement is an acceptable solution if have to check for one field. But currently I'm working on a Logstash config with around 50 fields. Should I create 50 if statements there?
