Delete "field" inside array

adrianolimit · January 26, 2017, 9:23am

Hello everyone,

I'm using the "Twitter input" and I want to delete some fields that I don't need.

For example, I would like to remove (so not index in Elasticsearch), the field "indices" inside the field "[entities][hashtags]" :

   "entities": {
            "hashtags": [
              {
                "indices": [
                  10,
                  16
                ],
                "text": "sport"
              }
            ]
          },
        }

I tried to use "ruby filter" in order to loop into the "hashtags" array and delete the "indices" element but that doesn't work...

if ([entities][hashtags]) {
	ruby {
		code => "event.get('[entities][hashtags]').each {
					|k| k.delete('indices')
		}"
	}
}

Do you have any idea?

Thanks in advance for your help

magnusbaeck · January 29, 2017, 6:59pm

That piece of Ruby looks correct. Are you getting anything related to it in your logs?

adrianolimit · January 29, 2017, 8:44pm

Hello Magnus,

I checked my log files and I didn't see any error. The problem is that in my Elasticsearch index (ouput) I still have the field "indices" within "entities.hashtags". Do you have any idea to solve my problem?

Thank you in advance.

magnusbaeck · January 29, 2017, 9:02pm

I'd try to narrow things down. Is the Ruby code being hit at all? What happens if you place event.tag('foo') at the beginning of the code block? Is the message tagged? What if you place it inside the each loop?

adrianolimit · January 29, 2017, 9:18pm

If I place event.tag('foo') at the beginning of the code block I obtain the field below in Elasticsearch, as expected :

   "tags": [
                "foo"
    ]

If I place the code here :

event.get('[entities][hashtags]').each {|k|
         event.tag('foo')
	 k.delete('indices')
}"

I also obtain the field below in Elasticsearch :

   "tags": [
                "foo"
    ]

I don't understand where is the problem...

For information, I'm using Elasticsearch 5.1.1 and Logstash 5.1.1

magnusbaeck · January 30, 2017, 6:27am

Then I don't know what's up.

adrianolimit · January 30, 2017, 7:47am

I'm using a template for my index in Elasticsearch and in this template there is not the field "indices", do you know if it's possible to index only the fields that are in my template and ignore (do not index) the others fields ?

magnusbaeck · January 30, 2017, 8:18am

I'm not sure. I suggest you start a new topic in the Elasticsearch category.

adrianolimit · January 30, 2017, 8:41am

It is possible to use remove_field => on my k object?

Something like this : remove_field => "[entities][hashtags][k][indices]"

One other thing, when I tried to use set() method in my k object like this :

event.get('[entities][hashtags]').each {|k|
	 event.tag('foo')
	 k.set('indices','this is a test')
}

I obtained the following error :

Ruby exception occurred: undefined method `set' for {"indices"=>[72, 80], "text"=>"data"}:Hash

Is it normal?

magnusbaeck · January 30, 2017, 8:52am

Is it normal?

Yes, that's expected.

adrianolimit · January 30, 2017, 8:59am

So my only solution is to delete my objects in my array like this :

remove_field => "[entities][hashtags][0][indices]"
remove_field => "[entities][hashtags][1][indices]"

That works, but the problem is that I can have 0 or x objects in my array... How can I do this dynamically?

Thank you in advance.

system · February 27, 2017, 8:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.