Accounting for "field name cannot be an empty string"?

Kenneth_M_Kolano · March 14, 2019, 9:14pm

I have incoming JSON logs with sections like...

> {"results":{"workers":{"trid": {
	"TRD": [
		{
			"likely": "50.0%",
			"type": "TrID defs package (14009/2/5)"
		}
	],
	"": [
		{
			"likely": "14.2%",
			"type": "Generic RIFF container (4000/1)"
		}
	]
}}}}

...which result in Logstash errors...

Mar 14 00:00:19 pass1 logstash[1929]: [2019-03-14T00:00:19,727][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"file-analysis", :_type=>"doc", :routing=>nil}, #<LogStash::Event:0x38a7b5bc>], :response=>{"index"=>{"_index"=>"file-analysis", "_type"=>"doc", "_id"=>"gnZbemkBw5GzxxY5osDe", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"field name cannot be an empty string"}}}}}`

I thought I'd be able to just use Mutate/rename to revise them to have a name, but I'm unclear how to specify the blank field name for such...

rename => { "results.workers.trid.\"\"" => "results.workers.trid.extensionless" }`

?

Badger · March 14, 2019, 9:52pm

If all else fails, try ruby

    ruby {
        code => '
            h = event.get("[results][workers][trid]")
            newh = {}
            h.each { |k, v|
                if k == ""
                    newk = "extensionless"
                else
                    newk = k
                end
                newh[newk] = v
            }
            event.set("[results][workers][trid]", newh)
        '
    }

Apologies if my ruby coding style makes your eyeballs bleed. (That if-else-end hurts even my eyes!)

system · April 11, 2019, 9:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.