Hello Team,
I would like to use an event api inside ruby filter to get nested fields with attribute value. I have a sample here as below:
"Event1" => { "Event2" => { "name" => "ABC", "Property" => [ [ 0] { "name" => "ABC", "flag" => "false", } ] } } }
and the ruby filter code used to capture as below:
ruby {
code => '
entry = event.get("[Event][Event1][Event2 @name="ABC"][Property]"])
...
...
event.set("field", value)
}
'
}
Thanks in advance...Your feedback will be appreciated
You cannot do xpath-like references in ruby.
If you want the whole of the Property array you would do
entry = event.get("[Event][Event1][Event2][Property]")
(that's assuming that the [Event1] field is nested inside a top-level [Event] field). If you want the first entry of the array then use
entry = event.get("[Event][Event1][Event2][Property][0]")
If there are multiple entries in the Property array and you want to select one by name then you would need to iterate over the array. There are many ways to do that. I have not tested this one, it is just an example
ruby {
code => '
entry = event.get("[Event][Event1][Event2][Property]
if entry
index = entry.index { |x| x["name"] == "ABC" }
theOneYouWant = entry[index]
end
...
'
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.