input:
{"cookies":{"mfov":"ZTE Q705U","sver":"5915","appid":"1","mfo":"ZTE","sysver":"4.2.2","plat":"1","sys":"android"}}
filter{
json {
source => ["message"]
}
}
how to remove prefix "cookie." of filed_name
i've tried
mutate {
rename => ["[cookies][mfo]","mfo"]
rename => ["[cookies][mfov]","mfov"]
rename => ["[cookies][plat]","plat"]
}
but there's only a few of entries affected
Works fine with Logstash 2.3.2:
$ cat data
{"cookies":{"mfov":"ZTE Q705U","sver":"5915","appid":"1","mfo":"ZTE","sysver":"4.2.2","plat":"1","sys":"android"}}
$ cat test.config
input { stdin { codec => json } }
output { stdout { codec => rubydebug } }
filter {
mutate {
rename => ["[cookies][mfo]","mfo"]
rename => ["[cookies][mfov]","mfov"]
rename => ["[cookies][plat]","plat"]
}
}
$ /opt/logstash/bin/logstash -f test.config < data
Settings: Default pipeline workers: 8
Pipeline main started
{
"cookies" => {
"sver" => "5915",
"appid" => "1",
"sysver" => "4.2.2",
"sys" => "android"
},
"@version" => "1",
"@timestamp" => "2016-07-15T06:41:53.397Z",
"host" => "lnxolofon",
"mfo" => "ZTE",
"mfov" => "ZTE Q705U",
"plat" => "1"
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}
thanks, can i remove all prefix? there's so many nested field. it's hard to rename each field.
You need to use a ruby filter for that. I'm pretty sure there are examples of that (or something very similar) in the archives here or on StackOverflow.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.