You can check for the existence of a specific field, but there’s currently no way to differentiate between a field that doesn’t exist versus a field that’s simply false. The expression if [foo]
returns false
when:
[foo]
doesn’t exist in the event,[foo]
exists in the event, but is false, or[foo]
exists in the event, but is null
filter {
if ![added_field] {
mutate {
add_field => {
"added_field" => "added_field_value"
}
}
}
}
output {
if [added_field] {
stdout {
codec => rubydebug
}
}
}