How to handle key value pairs when keys and values are in different fields

Elastic Stack Logstash
1

Hello,

In the events that are being processed there are key value pairs where the keys and the values are in two fields. What is the best way to handle these?

Example data:

data.httpRequest.headers.name
[host, connection, accept, accept-language, sec-fetch-mode, user-agent, accept-encoding]

data.httpRequest.headers.value
[api.website.com, keep-alive, */*, *, cors, undici, br, gzip, deflate]

Thanks all once again,

2

You could start with something like

input { generator { count => 1 lines => [ '' ] } }

output { stdout { codec => rubydebug { metadata => true } } }
filter {
    mutate { remove_field => [ "event", "host", "log" ] }

    mutate {
        add_field => {
            "[data][httpRequest][headers][name]" => [ "host", "connection", "accept", "accept-language", "sec-fetch-mode", "user-agent", "accept-encoding"]
            "[data][httpRequest][headers][value]" => [ "api.website.com", "keep-alive", "*/*", "*", "cors", "undici", "br", "gzip", "deflate"]
        }
    }
    ruby {
        code => '
            begin
                names = event.get("[data][httpRequest][headers][name]")
                values = event.get("[data][httpRequest][headers][value]")

                names.each_index { |i|
                    event.set(names[i], values[i])
                }
            rescue
            end
        '
    }
}

You have seven names and nine values, so that code ignores the last two. That may not be what you want to do.

3

Thank you, will try this.

4

Hello again, if the list is dynamic, would the following work.
Is it possible to iterate through the list of names and add the fields like that?
Thanks again,

    ruby {
        code => '
            begin
                names = event.get("[data][httpRequest][headers][name]")
                values = event.get("[data][httpRequest][headers][value]")

                names.each_index { |i|
                    event.add_field("[data][httpRequest][headers]names[i]")
                    event.set("[data][httpRequest][headers]names[i]", values[i])
                }
            rescue
            end
        '
    }
5

There is no .add_field method in the event API. And for the .set you will need to use string magic to do the interpolation

event.set("[data][httpRequest][headers][#{names[i]}]", values[i])