Adding multiple nested json fields to an array field

kylemain · October 18, 2019, 9:49pm

Hello,

I have a nested json field in my logs called "instanceId" :

"responseElements": { "instancesSet": { "items": [ { "instanceId": "i-02669ced00e8a3701", "currentState":{ "code": 32, "name": "shutting-down" }, "previousState": { "code": 16, "name": "running" } }, { "instanceId": "i-0050374c0e0a6306a", "currentState":{ "code": 32, "name": "shutting-down" }, "previousState": { "code": 16,"name": "running" } } ] } }

As you can see there are two values for instanceId in this log (some logs will have many more). What I want to do is to extract all of the values of instanceId and put them into a new array field called "resp_instance_id".

This ruby code does not work as it doesn't create an array field:

ruby {
       code => '
         response_item_size = event.get("[responseElements][instancesSet][items]").length
          response_item_size.times do |index|
           event.set("[resp_instance_id][#{index}]", event.get("[responseElements][instancesSet] 
[items][#{index}][instanceId]"))
         end
        '
     }

This results in this strange looking field:

Which in turn produces multiple fields in our platform like this (there are more than just two in this case):

What I want is an array field with the instead, like this:

"resp_instance_id" => [

[0] i-02669ced00e8a3701
[1] i-0050374c0e0a6306a

]

I don't wan't to hardcode this by referencing the elements of instanceId manually, like this:

[responseElements][instancesSet][items][0][instanceId]
[responseElements][instancesSet][items][1][instanceId]

Because instanceId will have an unknown number of values (not just two as in this example).
I have tried using a loop in ruby to create a ruby array witch contains all of the elements of "instanceId" and was successful in creating that array. However, I was unable to do an add_field using that array of values. It seems that add_field can not be included in a loop in the ruby code, but rather must come after the closing ' of the ruby code block. I do know if you use "add_field" to create the same field multiple times with different values that the resulting field will be an array field. But, without being able to use "add_field" inside of the ruby loop, this does not seem possible.

Badger · October 19, 2019, 1:06pm

You can do it using

        code => '
            response_items = event.get("[responseElements][instancesSet][items]")
            a = []
            response_items.each_index do |x|
                a << response_items[x]["instanceId"]
            end
            event.set("resp_instance_id", a)
        '
    }

kylemain · October 22, 2019, 7:29pm

worked! thank you.

system · November 19, 2019, 7:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.