How to move all the json fields at root level to a sub json node?

STAR_DEVX · January 17, 2020, 8:34pm

I want to move all the json node at the root level to a sub level jason node. What's the most efficient way to use filters to achieve that?

root level
{
"a": 1,
"b": "str",
"c": {"key": "value"}
}

I want the result to be:
{
"data": {
"a": 1,
"b": "str",
"c": {"key": "value"}
}
}

The most intuitive thought is to use mutate-rename filter.
mutate {
rename => { reference to the root level json => "data" }
}
However, I couldn't find a way to reference the root level json.

Thank you in advance.

Badger · January 17, 2020, 10:49pm

I would do something like this:

ruby {
    code => '
        event.to_hash.each { |k, v|
            unless [ "@timestamp", "@version", "host", "message" ].include?(k)
                event.set("[data][#{k}]", v)
                event.remove(k)
            end
        }
    '
}

STAR_DEVX · January 20, 2020, 9:55pm

It works like a charm! Thank you!

system · February 17, 2020, 9:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.