How to nest all fields in an event under a new field in logstash?

Yuval_Khalifa · October 29, 2019, 2:17pm

Hi all,

How can use logstash to convert an event like this:
{
"@timestamp": "2019-10-29T13:33:46.378Z",
"message": "p_name=yuval;p_surname=khalifa;p_age=41",
"host": "yuvalk",
"p_age": "41",
"@version": "1",
"p_surname": "khalifa",
"p_name": "yuval"
}

to this:
{
"security": {
"@timestamp": "2019-10-29T13:33:46.378Z",
"message": "p_name=yuval;p_surname=khalifa;p_age=41",
"host": "yuvalk",
"p_age": "41",
"@version": "1",
"p_surname": "khalifa",
"p_name": "yuval"
}
}

without handling each field individually by its name.
Is there a way to do that?

Badger · October 29, 2019, 2:21pm

You could do it using ruby

    ruby {
        code => '
            event.to_hash.each { |k, v|
                event.set("[security][#{k}]", v)
                event.remove(k)
            }
        '
    }

But note that not having a @timestamp field may not work out well for you.

system · November 26, 2019, 2:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is it possible to do nested calls of event fields? Logstash	2	313	April 23, 2020
Access nested logstash event key in ruby Logstash	2	1387	March 7, 2019
Move all fields to a subfield? Logstash	3	1396	April 27, 2020
Logstash:event api to get nested fields with attribute values in ruby filter Logstash	2	1131	May 7, 2021
Using logstash to denomalize data? Logstash	3	256	February 16, 2022

How to nest all fields in an event under a new field in logstash?

Related Topics