If you use
output { stdout { codec => rubydebug } }
what does the structure of a single document look like? Your description and sample data do not match at all. Did you mean it is something like
{
"1.12.84": "Name 1",
"2.12.84": "Name 2",
"3.12.84": "Name 3",
"1.13.47": 1,
"2.13.47": 2,
"3.13.47": 3,
"1.17.67": "String 1",
"2.17.67": "String 2",
"3.17.67": "String 3"
}
If it does look anything like that you could use a ruby filter to reformat it
json { source => "message" target => "[@metadata][snmpData]" remove_field => [ "message" ] }
ruby {
code => '
keys = { "12.84" => "title", "13.47" => "value", "17.67" => "status" }
snmpData = event.get("[@metadata][snmpData]")
if snmpData.is_a? Hash
h = {}
snmpData.each { |k, v|
match = k.match(/(\d)\.(.*)/)
instance = match[1]
oid = match[2]
if ! h.key? instance
h[instance] = {}
end
if keys.key? oid
oid = keys[oid]
end
h[instance][oid] = v
}
event.set("snmpData", h.values)
end
'
}
At the end of the loop h will look like
{
"1"=>{"title"=>"Name 1", "value"=>1, "status"=>"String 1"},
"2"=>{"title"=>"Name 2", "status"=>"String 2", "value"=>2},
"3"=>{"title"=>"Name 3", "value"=>3, "status"=>"String 3"}
}
Calling h.values discards the keys and converts that to an array
[
{"title"=>"Name 1", "value"=>1, "status"=>"String 1"},
{"title"=>"Name 2", "status"=>"String 2", "value"=>2},
{"title"=>"Name 3", "value"=>3, "status"=>"String 3"}
]
You can then use
split { field => "snmpData" }
to end up with events like
{
"@timestamp" => 2020-05-08T22:53:04.180Z,
"snmpData" => {
"value" => 3,
"title" => "Name 3",
"status" => "String 3"
}, ...
If you want to move the fields to the top level then see here.