Logstash nested array with special key value pair

PieterF · April 18, 2024, 3:02pm

Hi,

We ingest Firebase logs with format json.
Now there are some properties that have an array of objects with the following structure: the key is always a string but the value is saved depending on type.

event_params": [
        {
            "key": "firebase_screen_class",
            "value": {
                "double_value": null,
                "float_value": null,
                "int_value": null,
                "string_value": "Controller"
            }
        },
        {
            "key": "skipAllowed",
            "value": {
                "double_value": null,
                "float_value": null,
                "int_value": null,
                "string_value": "no"
            }
        },
        {
            "key": "firebase_id",
            "value": {
                "double_value": null,
                "float_value": null,
                "int_value": 99465839919,
                "string_value": null
            }
        },

All Strings, Ints, are grouped now which is unwanted.
I want to bring the "key" with the "value" thats not null to a new field.

filter {
   if [fields][type] == "firebase"{
      grok {
         match => { "message" => "%{SPACE}%{GREEDYDATA:JSON}%{SPACE}"}
      }
      json{
         source => "JSON"
         target => "FB"
      }
      ruby {
          code => "event.set('log_time_MS', event.get('[FB][event_timestamp]') / 1000)"
      }
      date{
         match => ["log_time_MS","UNIX_MS"]
         target => "log_time"
      }
   }
}

who can put me in the right direction of approaching this problem.

Badger · April 18, 2024, 5:05pm

Not sure if this is what you want, but if you use

    ruby {
        code => '
            event_params = event.get("event_params")
            event_params.each { |x|
                puts x["value"].find(ifnone = nil) { |k, v| v != nil }[1]
                event.set(x["key"], x["value"].find(ifnone = nil) { |k, v| v != nil }[1])
            }
        '
    }

you will get

"firebase_screen_class" => "Controller",
          "firebase_id" => 99465839919,
           "@timestamp" => 2024-04-18T17:04:26.617552505Z,
          "skipAllowed" => "no"