JSON with comma separated string to multiple tags

Ranger_Rick · September 25, 2022, 10:54pm

Good evening! I really think this should be easy and straightforward but I am having a heck of a time with it so decided to ask the community.

My pipeline accepts daily json files and splits it out and further enriches portions of it. The provider of the JSON changed a field format from assigned numbers that were enriched through a dictionary path.

The field [categories] is either empty or can contain multiple values that are separated by a comma. Sadly, this field is not delivered as an array but a string.

Example1: "categories":"letter,next-day,special-handling,insured"

Example2: "categories":"package,ground,insured"

What I need is to make each individual element its own tag with a static, preceding label (method:) for filtering in Kibana.

If the [categories] field is not empty, the final product would be tags that look like:
Example1 Tags:
method:letter
method:next-day
method:special-handling
method:insured

Example2 Tags:
method:package
method:ground
method:insured

Thank you for any help you are able to provide!

Badger · September 26, 2022, 12:15am

    ruby {
        code => '
            c = event.get("categories")
            if c
                c.split(",") { |x| event.tag("method:#{x}") }
            end
        '
    }

will produce

      "tags" => [
    [0] "method:letter",
    [1] "method:next-day",
    [2] "method:special-handling",
    [3] "method:insured"
],

Ranger_Rick · October 9, 2022, 1:38am

Sorry for the late reply, multiple other projects popped up and took my time. First of all, thank you very much!

I used your code shortly after you responded and it had partially worked.

It did add "method:" before the very first item but not the others and it still strung them together. One of the tags came out like this:

"tags" = [
    "method:letter,next-day,special-handling,insured"
]

I took your code and tweaked it and it works perfectly now. Maybe not as concise by the results are exactly what I need.

I will put it here for anyone else struggling. XD

filter {
    ruby {
        code => '
            tag_1 = "method:"
            c = event.get("categories")
            if c
                list_1 = c.split(",")
            end

            for i in list_1
                event.tag(tag_1 + i)
            end
        '
    }
}

This provided me with the results i wanted in the resulting JSON/Kibana:

"tags" = [
    "method:letter"
    "method:next-day"
    "method:special-handling"
    "method:insured"
]

Now to look into removing the tag filebeat raw ingest tag.

system · November 6, 2022, 1:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.