Event.remove not working

Akash_Kumar_Dutta · June 1, 2018, 6:30am

I am using the following ruby filter to update the fields.

def filter(event)
  keys = event.to_hash.keys
  keys.each{|key|

    if ( key.start_with? '_' and key != "_@timestamp")
      value = event.get(key)
      newkey = key.sub!(/^_/, '')
      event.remove(key)
      event.set(newkey , value)

    elsif (key == "_@timestamp")
      value = event.get(key)
      event.set("@apptimestamp", Time.at(value))
      event.remove(key)
    end
      
  }
  return [event]

  rescue Exception => e
    event.set('logstash_ruby_exception', 'underscores: ' + e.message)
    return [event]
end

The code duplicates fields starting with underscore, to fields not starting with underscore. But for some reason doesn't eliminate the one's starting with underscore. That is, event.remove doesn't work as expected. Any ideas?

Thanks in advance!

guyboertje · June 1, 2018, 8:31am

What version of Logstash?

Akash_Kumar_Dutta · June 1, 2018, 8:33am

6.2.4
image used is docker.elastic.co/logstash/logstash:6.2.4

guyboertje · June 1, 2018, 10:05am

sub! alters the value of key so it is not removable.
In Ruby IRB...

irb(main):001:0> key = "_abc"
=> "_abc"
irb(main):002:0> key.sub!(/^_/, "")
=> "abc"
irb(main):003:0> key
=> "abc"

Looking at how the mutate filter works and with my knowledge of ruby I suggest this improvement.

input {
  generator {
    message => '{"_a": "A", "_b": "B", "c_": "C"}'
    count => 1
  }
}

filter {
  json {
    source => "message"
  }
  if "_jsonparsefailure" not in [tags]  {
    ruby {
      code => '
        keys = event.to_hash.keys
        keys.select{|key| key.start_with?("_") && key != "_@timestamp" }.each do |key|
          newkey = key[1, key.length] # we know the first character is an underscore
          event.set(newkey, event.remove(key))
        end
        # deal with _@timestamp here, not inside the iterator
      '
    }
  }
}

output {
  stdout {
    codec => rubydebug
  }
}

Gives

{
      "sequence" => 0,
             "a" => "A",
             "b" => "B",
    "@timestamp" => 2018-06-01T09:57:42.934Z,
      "@version" => "1",
          "host" => "Elastics-MacBook-Pro.local",
       "message" => "{\"_a\": \"A\", \"_b\": \"B\", \"c_\": \"C\"}",
            "c_" => "C"
}

Akash_Kumar_Dutta · June 1, 2018, 12:57pm

Thank you so much! I am so silly, didn't notice that!

system · June 29, 2018, 12:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove Specific Field matching pattern Logstash	5	754	April 19, 2023
Ruby Filter - Event.Remove Inconsistent Results Logstash	9	5753	August 7, 2018
New operation for the mutate filter? Logstash	3	1237	March 15, 2017
How to remove subfield using ruby Logstash	5	5657	January 2, 2017
How to remove any field matching a string Logstash	2	901	July 6, 2017

Event.remove not working

Related Topics