Access nested logstash event key in ruby

Elastic Stack Logstash
1

I am trying to create new field as a list from nested keys in the event. I thought to do it in ruby filter but can't figure out how to retrieve nested keys into the list

I would like to create a field with a list of all sources.a specified or empty list in none
The example of event is as follows:
input:

{"source.a.London": false, "source.a.Berlin": true, "source.a.Paris": true, "other.data": true}

output:

{"source.specified": ["London", "Berlin", "Paris"], "other.data":true}

if there is no source:
input:

{"other.data": true}

output:

{"source.specified": [], "other.data":true}

I am trying to do it with ruby and changing the event to hash and loop it over but it seems so inefficient.
The code as standalone ruby filter (which does not work at the moment) is:

def parse_tags(event)
  eve = event.to_hash
  tagsList = []
  eve["source"]["a"].each_pair { |k, v|
   tagsList << k
  }
  event.set(["source"]["specified"], tagsList)
end 

def filter(event)
  parse_tags(event)
  return [event]
end

It gives me the error:

[ERROR][logstash.filters.ruby    ] Could not process event: undefined method `[]'

What would be the most efficient way to make it?

2

Those are not nested events. They are just fields that contain a period in their name. If you send them to stdout you get

 "source.a.Paris" => true,
"source.a.Berlin" => true,
"source.a.London" => false,
     "other.data" => true,

So you would need to iterate over eve and test whether the name of each field starts with "source.a.".

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.