KV generated field names contain spoaces and capitals

leoponton · April 13, 2018, 11:13am

I'm using the kv plugin to extract data from Windows ForwardedEvents. Typical data to process looks like:

Client Version: 1.21.204.0
Client Policy ID: e964d551-3d3c-4a8f-8b9c-a99cce9b7ce5
IP Addresses: 192.168.0.10
Process Name: MSIP.App
Action: Download Policy

KV splits by ':' into, e.g.
"Client Version" : "1.21.204.0"

I can't find a way to generate the fieldnames replacing the space and lowercasing, e.g.
"Client Version" -> "client_version"

There is a large number of fields to deal with so I would rather process them programatically than explicitly change each one by name.

Is there a way to do this?

magnusbaeck · April 13, 2018, 11:54am

You can use a ruby filter. I'm pretty sure examples of that have been posted in the past.

leoponton · April 13, 2018, 1:41pm

Thanks. I'm not a ruby programmer but I tried this. It didn't work. I'm sure my mistake is blindingly obvious...

ruby{
  code => "
      event.to_hash.each { |k,v| 
          k.gsub(/[ ]/, '_')
      }
  "
}

leoponton · April 16, 2018, 1:59pm

Okay, this is what I did ... eventually:

ruby{
  # rename fields to lowercase replacing space with _
  code => "
    event.to_hash.keys.each { |key|
      v = event.get(key)
      event.remove(key)
      event.set(key.gsub(/ /, '_').downcase, v)
    }
  "
}

Topic		Replies	Views
Using kv to produce fields with every word capitalized Logstash	3	521	August 20, 2020
Adding prefex to the field extracted via KV plugin Logstash	4	447	July 21, 2021
Help on case sensitive kv plugin Logstash	4	592	September 8, 2017
Using KV processors when field names have space Elasticsearch	2	838	September 9, 2020
Lowercase all fields and sub fields Logstash	2	2714	April 27, 2019

KV generated field names contain spoaces and capitals

Related topics