Hi,
Right now I have an entry like this after applying kv filter:
"b/r/n": "1/1/0",
I would like this entry to be expanded as:
"b/r/n": { # the field name is not strictly to be "b/r/n"
"b": 1,
"r": 1,
"n": 0
}
Can somebody give me an idea if this is possible? I think this might be workable by ruby filter. But I am not sure.
ideally you want that { "b/r/n": "1/1/0" } hash to be in a field with a known name, so you can then do:
input { stdin { codec => json } }
filter {
ruby { code => 'old_hash = event.get("data");
new_hash = {};
old_hash.each do |k, v|
keys = k.split("/")
values = v.split("/")
new_hash[k] = Hash[keys.zip(values)]
end
event.set("data", new_hash)'
}
}
output { stdout { codec => rubydebug } }
Then testing this results in:
/tmp/logstash-5.4.1 % echo '{"data": {"b/r/n": "1/2/3", "a/b/c": "9/8/7" }}' | bin/logstash -f ../cfg
{
"@timestamp" => 2017-06-20T10:02:44.522Z,
"data" => {
"a/b/c" => {
"a" => "9",
"b" => "8",
"c" => "7"
},
"b/r/n" => {
"b" => "1",
"r" => "2",
"n" => "3"
}
},
"@version" => "1",
"host" => "Joaos-MBP-5"
}
Beware that this code doesn't deal with exception scenarios, like uneven number of elements ("b/r": "1/1/0") or if some elements in the hash are not in this form (e.g. { "b/r/n": "1/1/0", "hey": "you"})
Wow. This is incredible. Thank you so much!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.