Logstash Split input and save new event.original

Gosborne · June 27, 2022, 9:11am

Good Morning,

I am trying to split up some JSON logs that are collected from an Eventhub and i'm running into a few issues.

My logstash filter below works fine and splits the json based on a field called records, and then removes the records top level field.

	# Split results into individual events
	split {
		field => "records"
	}
	
	ruby {
		code => "
			event.get('records').each {|k, v|
			event.set(k, v)
			}
			event.remove('records')
		"
	}
	
	mutate {
		copy => {"[message]" => "[event][original]"} 
	}

The problem i have is now how do i place the true original log (i.e. split out without the records) into event.orginal?

Message still contains the full eventhub file, not my updated logs. Does anyone know how i now place this new formatted log into event.orginal so i can use it elsewhere?

system · July 25, 2022, 9:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Handling events after using split Logstash	3	1009	July 6, 2020
Create new records from old one Logstash	8	409	January 12, 2022
Splitting Logstash message Logstash	6	262	November 21, 2023
Logstash - split array into individual events Logstash	7	6356	June 16, 2019
[JSON filter] Split Dynamic fields Logstash	4	1558	March 11, 2019

Logstash Split input and save new event.original

Related Topics