I have fields that come into the system with nested components.
Using this code in logstash:
if [receivers] {
split {
field => "receivers"
}
}
ruby {
code => "
event.get('receivers').each do |key, value|
if value.is_a?(Hash) || value.is_a?(Array)
event.set('receiver_'+key, value.to_json)
else
event.set('receiver_'+key, value)
end
end
"
}
Seems to work to unnest the document AND create a new field. But does not work if the field has nested keys. For example here is part of the field that coming in from redis:
"receivers": [
{
"stream_type": "HLS",
"target_duration": 4.1,
"selection": {
"found": true,
"resolution": "1280x720",
"bandwidth": 6281474,
"codecs": "mp4a.40.5,avc1.640020"
},...
]
field and thus does not create a new field (see image below)
Am I missing something that will allow me to create a field like:
receiver_networks_source_ip : ipaddress
I think the ruby code itself is sound because if I build an array outside of logstash I can loop through and map out keys with . in the name. So I'm guessing its a logstash thing?
