How can I remove the object in nested array by logstash?

Elastic Stack Logstash
1

Hi,
The log output like this:

{
        "@timestamp" => 2019-09-19T17:30:48.984Z,
       "characterid" => "20036815",
    "inventory_item" => [
        [ 0] {
                 "item_equipped" => true,
                    "item_count" => 1,
                     "item_type" => "1",
                       "item_id" => 102022
        },
        [ 1] {
                 "item_equipped" => true,
                    "item_count" => 1,
                     "item_type" => "3",
                       "item_id" => 23201
        },
        [ 2] {
                 "item_equipped" => false,
                    "item_count" => 1,
                     "item_type" => "2",
                       "item_id" => 910
        },
        [ 3] {
                 "item_equipped" => false,
                    "item_count" => 1,
                     "item_type" => "3",
                       "item_id" => 21400
        },
        [ 4] {
                 "item_equipped" => false,
                    "item_count" => 1,
                     "item_type" => "2",
                       "item_id" => 21401
        },
        [ 5] {
                 "item_equipped" => true,
                    "item_count" => 1,
                     "item_type" => "4",
                       "item_id" => 21402
        }
    ]
}

I want to output like this, after filter:

{
        "@timestamp" => 2019-09-19T17:30:48.984Z,
       "characterid" => "20036815",
    "inventory_item" => [
        [ 0] {
                 "item_equipped" => true,
                    "item_count" => 1,
                     "item_type" => "1",
                       "item_id" => 102022
        },
        [ 1] {
                 "item_equipped" => true,
                    "item_count" => 1,
                     "item_type" => "3",
                       "item_id" => 23201
        },
        [ 2] {
                 "item_equipped" => true,
                    "item_count" => 1,
                     "item_type" => "4",
                       "item_id" => 21402
        }
    ]
}

[inventory_item][item_equipped] != true then will be remove.

I used ruby plugin. But it seems don't work.

ruby {
    code => "
        event.get('inventory_item').each do |item|
            if item['item_equipped'] == false
                event.remove('[#{item}]')
            end
        end
        
    "
}

Do you have any suggtions?

2

U can use mutate to remove fields like below

filter {
mutate { remove_field => "[inventory_item][3]"
}

This should remove the complete array 3.

If u want to delete a field in array "[inventory_item][3][item_equipped]" replace the remove field with this.

3

Thanks for reply.
But array 3's item_equipped maybe is true, or maybe is false.
And I don't know how many item_equipped will be true, and how many item in inventory_item?

4

Am not sure but you can try this

filter {
mutate { remove_field => "[inventory_item][item_equipped]" }
}
Leave the middle array empty

5 
    ruby {
        code => '
            a = event.get("inventory_item")
            a = a.delete_if { |x| ! x["item_equipped"] }
            event.set("inventory_item", a)
        '
    }

Error checking is left as an exercise for the reader.

1 Like
6

Thank you !

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.