Logstash:event api to get nested fields with attribute values in ruby filter

prathibha · April 9, 2021, 6:46am

Hello Team,

I would like to use an event api inside ruby filter to get nested fields with attribute value. I have a sample here as below:

             "Event1" => {
                    "Event2" => {
                         "name" => "ABC",
                         "Property" => [
                            [ 0] {
                                     "name" => "ABC",
									 "flag" => "false",
							}
						 ]
				    }
				}
			}

and the ruby filter code used to capture as below:

ruby {
code => '
entry = event.get("[Event][Event1][Event2 @name="ABC"][Property]"])
...
...
event.set("field", value)
}
'
}

Thanks in advance...Your feedback will be appreciated

Badger · April 9, 2021, 4:10pm

You cannot do xpath-like references in ruby.

If you want the whole of the Property array you would do

entry = event.get("[Event][Event1][Event2][Property]")

(that's assuming that the [Event1] field is nested inside a top-level [Event] field). If you want the first entry of the array then use

entry = event.get("[Event][Event1][Event2][Property][0]")

If there are multiple entries in the Property array and you want to select one by name then you would need to iterate over the array. There are many ways to do that. I have not tested this one, it is just an example

ruby {
    code => '
        entry = event.get("[Event][Event1][Event2][Property]
        if entry
            index = entry.index { |x| x["name"] == "ABC" }
            theOneYouWant = entry[index]
        end
        ...
    '
}

system · May 7, 2021, 4:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.