Extract nested fields into new fields

a.kuz · November 22, 2019, 7:50am

Hi! I have json input like:

Summary

{
"Parameters": [
{
"Name": "SentTo",
"Value": "User User"
},
{
"Name": "BlindCopyTo",
"Value": "Username Username"
},
{
"Name": "Name",
"Value": "user_to_username"
},
{
"Name": "StopRuleProcessing",
"Value": "False"
},
{
"Name": "Mode",
"Value": "Enforce"
},
{
"Name": "Comments",
"Value": ""
},
{
"Name": "RuleErrorAction",
"Value": "Ignore"
},
{
"Name": "SenderAddressLocation",
"Value": "Header"
}
],
},
}

I can access to those fields and extract them into new fields by:

Summary

mutate {
add_field => { "[ParametersActionName]" => "%{[Parameters][0][Name]}" }
add_field => { "[Parameters][ActionName]" => "%{[Parameters][0][Name]}" }
add_field => { "[ParametersExt][ActionName]" => "%{[Parameters][0][Name]}" }
add_field => { "[ParametersActionType]" => "%{[Parameters][0][Value]}" }
add_field => { "[ParametersToType]" => "%{[Parameters][1][Name]}" }
add_field => { "[ParametersRecipient]" => "%{[Parameters][1][Value]}" }
add_field => { "[ParametersRuleName]" => "%{[Parameters][2][Name]}" }
add_field => { "[ParametersRuleNameValue]" => "%{[Parameters][2][Value]}" }
add_field => { "[ParametersRuleProcessing]" => "%{[Parameters][3][Name]}" }
add_field => { "[ParametersIsStop]" => "%{[Parameters][3][Value]}" }
add_field => { "[ParametersMode]" => "%{[Parameters][4][Name]}" }
add_field => { "[ParametersActionMode]" => "%{[Parameters][4][Value]}" }
add_field => { "[ParametersComments]" => "%{[Parameters][5][Name]}" }
add_field => { "[ParametersCommentsVal]" => "%{[Parameters][5][Value]}" }
add_field => { "[ParametersRuleError]" => "%{[Parameters][6][Name]}" }
add_field => { "[ParametersRuleErrorAction]" => "%{[Parameters][6][Value]}" }
add_field => { "[ParametersSenderAddressHeader]" => "%{[Parameters][7][Name]}" }
add_field => { "[ParametersSenderAddressHeaderLocation]" => "%{[Parameters][7][Value]}" }
}

But it actual only on current event and number of fields as some fields in Parameters are changes. So, i want to make new fields depends on value of nested Name and Value, for example:

Summary

add_field => { "[%{[Parameters][0][Name]}]" => "%{[Parameters][0][Value]}" } as SentTo: User User
add_field => { "[%{[Parameters][1][Name]}]" => "%{[Parameters][1][Value]}" } as BlindCopyTo: Username Username
add_field => { "[%{[Parameters][2][Name]}]" => "%{[Parameters][2][Value]}" } as Name: user_to_username

...
How can i make a loop and accessing to index of Parameters?
Thanks in Advance.

rameshkr1994 · November 22, 2019, 8:37am

Hi @a.kuz.

i think you can do this withing elastic query!!!.

same like sql query for concatenate your columns then and make as single column.

Thanks
HadoopHelp

Christian_Dahlqvist · November 22, 2019, 9:33am

I would recommend you use the ruby filter.

a.kuz · November 22, 2019, 10:46am

That is a problem, i don't know how to do it with ruby

Badger · November 22, 2019, 2:30pm

You could start with something like this.

a.kuz · November 25, 2019, 7:28am

Solution is here
@Badger thanks!

system · December 23, 2019, 7:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.