有点of脚，它开箱即用，但是您可以像这样破解它-添加布尔值的字符串表示形式，比较针对字符串，然后删除添加的字段:

Kind of lame that it doesn't work right out of the box, but you can hack it like this -- add a string representation of the boolean, compare against the string, and then remove the added field:

filter {
   mutate {
     add_field => { "test" => "%{boolean}" }
   }
   if [test] == 'true' or [test] == 'false' {
     // field is present and set right
   } else {
     // field isn't present or set to something other than true/false
   }
   mutate {
     remove_field => [ "test" ]
   }
}