I have a log source where the sourceAddress field can look like one of the following 3 ways:
{ "sourceAddress": "1.1.1.1,2.2.2.2" }
{ "sourceAddress": "1.1.1.1"}
{ "sourceAddress": null }

I can get the parser to map the first two examples of the above IP log types successfully, but I can't seem to figure out how to ignore when the field contains the null value. Without removing the value null I am getting. field type check failed: field backstory.Noun.ip[0] \\"\\" does not match type IP: invalid argument"

My syntax is as follows:

 

filter {

      mutate {

    replace => {

      "sourceAddress" => ""

    }

  }

mutate { replace => {"event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"

    }

}

json {

    source => "message"

    array_function => "split_columns"

}

mutate {

    split => {

       source => "sourceAddress"

       separator => ","

       target => "sourceAddress_"

    }

  }

for k,v in sourceAddress_ {

    mutate {replace => {"temp__ip" => "%{v}"}}

    mutate {merge => {"ip" => "temp__ip"}}

    mutate {replace => {"temp__ip" => ""}}

}

mutate {rename => {"ip" => "event.idm.read_only_udm.principal.ip"}}

mutate {

    merge => {

      "@output" => "event"

    }

}

}

 

I have tried the below syntax but when I use this syntax it seems to flat out ignore the sourceAddress field and doesn't show any value for when sourceAddress contains an actual IP address. So if the log was this one { "sourceAddress": "1.1.1.1,2.2.2.2" } it just doesn't parse out the valid IP, it just ignores it the entire thing altogether.

 

if [sourceAddress] == "null" {