Logstash - ruby script to create array of nested fields

Elastic Stack Logstash
1

Hello,

I currently have the below JSON structure

"Unit": {
						"Unit": ["QA", "FA"],
						"QTY": ["2", "5"],
						"ID": ["1", "2"],
						"Item": ["Shirt", "Trousers"],
						"Price": ["10", "50"]
					}

and want to write a logstash script to to break the array of values to represent it like below :

"Unit": {
{
"Unit": "QA",
"QTY": "2",
"ID": "1",
"Item": "Shirt",
"Price": "10"
},
{
"Unit": "FA",
"QTY": "5",
"ID": "2",
"Item": "Trousers",
"Price": "50"
}
}

Is there an efficient approach to solve this ? I believe this could be solved by ruby filter plugin after going through a few links like : Indent any json file nested fields and make it flat. Could this also be solved in any other way other than writing a ruby script ?

2

I was really surprised at how ugly the code I wrote to do this is. I feel there should be a much easier way.

    ruby {
        code => '
            a = []
            u = event.get("Unit")
            h1 = {}
            h2 = {}

            u.each { |k,v|
                h1[k] = v[0]
                h2[k] = v[1]
            }
            a << h1
            a << h2
            event.set("MonsiuerSpalanzani", a)
        '
        remove_field => [ "Unit" ]
    }
    split { field => "MonsiuerSpalanzani" }
    ruby {
        code => '
            event.get("MonsiuerSpalanzani").each { |k,v|
                event.set(k, v)
            }
        '
        remove_field => [ "MonsiuerSpalanzani" ]
    }

Hmm. Thinking about it, this would be much cleaner if done as a ruby script file, since that can return an array of events, so the split would not be needed. If you create a file called invertUnits.rb containing

def register(params)
    @field = params['field']
end

def filter(event)
    newEvents = []

    o = event.get(@field)
    if !o
      newEvents << event
    else
      (0..1).each { |n|
        e = LogStash::Event.new
        o.each { |k, v|
          e.set(k, v[n])
        }

        [ "@timestamp", "@version", "host", "sequence" ].each { |k|
          v = event.get(k)
          if v
            e.set(k, v)
          end
        }

        newEvents << e
      }
    end

    newEvents
end

then call it using

    ruby {
        path => "/home/user/invertUnits.rb"
        script_params => { "field" => "Unit" }
    }
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.