Using if-else with Logstash split

Question

I have a string field called description delimited with _.

I split it as follows:

filter {
    mutate {
        split => ["description", "_"]
        add_field => {"location" => "%{[description][3]}"}
    }

How can I check if the split values are empty or not?

I have attempted:

if !["%{[description][3]}"] {
    # do something
}

if ![[description][3]] {
    # do something
}

if ![description][3] {
    # do something
}

None of them work.

The goal is to have the value of the new field location as its actual value or a generic value such as NA.

Answer 1

you made a really simple mistake with your mutate split.

this

mutate {
        split => ["description", "_"]
        add_field => {"location" => "%{[description][3]}"}
    }

should have been

mutate {
        split => ["description"=> "_"]   <=== see I removed the comma and added =>
        add_field => {"location" => "%{[description][3]}"}
    }

here is sample I tested out with

filter {
  mutate {
        remove_field => ["headers", "@version"]
        add_field => { "description" => "Python_Java_ruby_perl " } 
  }
  mutate {
        split => {"description" =>  "_"}
  }

  if [description][4] {
    mutate {
     add_field => {"result" => "The 4 th field exists"}
    }   
  } else {

    mutate {
     add_field => {"result" => "The 4 th field  DOES NOT exists"}
    }   
 }

and the result on console (since there is no 4 th element, it went to else block

{
           "host" => "0:0:0:0:0:0:0:1",
         "result" => "The 4 th field  DOES NOT exists",  <==== from else block
     "@timestamp" => 2020-01-14T19:35:41.013Z,
        "message" => "hello",
    "description" => [
        [0] "Python",
        [1] "Java",
        [2] "ruby",
        [3] "perl "
    ]
}