How to loop through array in Logstash?

rijo_joseph · December 14, 2021, 6:26am

{
  "modifiedTime": "2021-12-13T06:47:11.138Z",
  "task_owner_name": null,
  "contents": [
    {
      "eligible": false,
      "rawResponse": "454536251",
      "id": 868286622
    },
    {
      "eligible": false,
      "categoryScores": null,
      "analysisRequired": false,
      "questionId": 1000036797,
      "rawResponse": "454536251"
    },
    {
      "eligible": true,
      "categoryScores": null,
      "analysisRequired": true,
      "questionId": 1000036794,
      "rawResponse": "Us06OA26CyGf+TyFQU0t1lEjqs9OsOgBl0Uh1FcWg8lKODvn1573ODvleS9n9oU0mmcwd"
    }
  ],
  "author_post_flag": false
  }

I need to loop through "contents" array and need to perform decrypt the field "rawResponse" if "eligible" == "true"

currently Im doing like this

filter {
  if [contents][0][eligible]{
 cipher
{
 mode => decrypt
 algorithm => "AES-256-CBC"
 iv_random_length => 16
 key  => "***************"
 key_size => 32
 source => "[contents][0][rawResponse]"
 target => "[contents][0][rawResponse]"

}}}

It is working but I need to dynamically get the index value of the array , Currently it is hard coded, Can anyone please help

Badger · December 14, 2021, 6:34pm

One option would be to use a split filter to split that event into multiple events which each have a [contents] field which is a hash rather than an array. If you need to, you can then recombine them into a single event.

The other option is to iterate over the array in a ruby filter.

ruby {
    code => '
        c = event.get("contents")
        if c.is_a? Array
            c.each { |x|
            if x["eligible"]
                resp = x["rawResponse"]
                value = ...
                event.set("rawResponse", value)
            end
        end
    '
}

You would have to figure out what to replace the ... with by repurposing code from the cipher filter.

rijo_joseph · December 15, 2021, 5:37am

do we need to specify the index variable here ? like event.set(x["rawResponse"],value) like ?

when I use this it is replacing the globally defined rawResponse value not inside the array

Badger · December 15, 2021, 1:07pm

Indeed, that code will not work. Perhaps

ruby {
    code => '
        c = event.get("contents")
        if c.is_a? Array
            c.each_index { |x|
            if c[x]["eligible"]
                resp = c[x]["rawResponse"]
                value = ...
                event.set(c[x]["rawResponse"], value)
            end
        end
    '
}

although I have not tested that either.

rijo_joseph · January 11, 2022, 9:15am

c = event.get("contents")
c.each_with_index do |value, index|
    if value["eligible"]
         resp = value["rawResponse"]
         value = 
         event.set("[contents][#{index}][rawResponse]",value)

above code is worked for me
thanks @Badger

system · February 8, 2022, 9:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.