Change event name based on type

Elastic Stack Logstash
1

Hello,

I am having a field which is an object but sometimes it's a string. I'm using the below ruby code but for some reason im still getting an error.. Does anyone know why?

if event.get("[data][aws][configuration][status]").is_a? String
                          event.set("[data][aws][configuration][statusString]", event.get("[data][aws][configuration][status]"))
                          event.remove("[data][aws][configuration][status]")
elsif event.get("[data][aws][configuration][status]").nil?
                          event.remove("[data][aws][configuration][status]")
end

Event:

{
               "data" => {
        "integration" => "aws",
                "aws" => {
                           "configuration" => {
                                          "status" => "available",
            }
        }
    }
}

Error:
[WARN ] 2021-09-13 21:28:34.001 [[main]>worker0] amazonelasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-4.x-2021.37", :_type=>"_doc", :_routing=>nil}, #<LogStash::Event:0x67f05c56>], :response=>{"index"=>{"_index"=>"wazuh-alerts-4.x-2021.37", "_type"=>"_doc", "_id"=>"wfQP4XsBhi2ZIJK3ywFq", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [data.aws.configuration.status] tried to parse field [status] as object, but found a concrete value"}}}}

Thanks in advance!

2

Please note that I troubleshooted it by using a "puts" function within the logical statement, and the logical statement works as expected..

For now im using a workaround to find whether the fields are not objects but i'd really like to know as to why the ruby statements didnt work..

  if [data][aws][configuration][status] =~ /^((?!^{.*}).)*$/ {
                      mutate {
                        rename => {"[data][aws][configuration][status]" => "[data][aws][configuration][statusString]"}
                      }
                  }
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.