After I use the kv plugin to parse the log, I want to filter the value further. I want to further process the value of cmd. Replace \" with ".how to use ruby filter to loop through k,v pairs?
I used the target in the kv plugin, using ruby to pick up the target for parsing and filtering, but the target changed the original field name.
my data look like below:
level="2" treatment="3" cmd1="\"D:\Program Files (x86)\a\safe\modules\setup.exe\" /s /smartsilence" type="sys"
the logstash config look like below:
kv {
source => "message"
field_split => "[,\s]"
value_split => "="
trim_key => "\s"
trim_value => "\""
target => "kv"
}
ruby {
code => "
event = event.get('kv')
event.each { |key,value|
if value.include? '\"'
event[key] = value.gsub!('\"', '')
end
}
"
}
the result is :
kv {
level="2"
treatment="3"
cmd="D:\Program Files (x86)\a\safe\modules\setup.exe /s /smartsilence"
type="sys"
}
The original field name might be cmd, but it now becomes kv.cmd.
What should I do if I don't use target as a connection? Or after using the target in ruby,how to extract the data in the target to the root directory?