How to nest all fields in an event under a new field in logstash?

Yuval_Khalifa · October 29, 2019, 2:17pm

Hi all,

How can use logstash to convert an event like this:
{
"@timestamp": "2019-10-29T13:33:46.378Z",
"message": "p_name=yuval;p_surname=khalifa;p_age=41",
"host": "yuvalk",
"p_age": "41",
"@version": "1",
"p_surname": "khalifa",
"p_name": "yuval"
}

to this:
{
"security": {
"@timestamp": "2019-10-29T13:33:46.378Z",
"message": "p_name=yuval;p_surname=khalifa;p_age=41",
"host": "yuvalk",
"p_age": "41",
"@version": "1",
"p_surname": "khalifa",
"p_name": "yuval"
}
}

without handling each field individually by its name.
Is there a way to do that?

Badger · October 29, 2019, 2:21pm

You could do it using ruby

    ruby {
        code => '
            event.to_hash.each { |k, v|
                event.set("[security][#{k}]", v)
                event.remove(k)
            }
        '
    }

But note that not having a @timestamp field may not work out well for you.

system · November 26, 2019, 2:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is it possible to do nested calls of event fields? Logstash	2	315	April 23, 2020
How to iterate over all fields with new Event API Logstash	2	2509	January 17, 2018
Access nested logstash event key in ruby Logstash	2	1388	March 7, 2019
Move all fields to a subfield? Logstash	3	1403	April 27, 2020
The best practice to nest a hash? Logstash	5	1228	July 28, 2017

How to nest all fields in an event under a new field in logstash?

Related topics