Losgtash Ruby extract JSON Array Key Value

lueneburger · July 13, 2020, 7:21am

Hi Everyone,

i was looking last week for 2 days for this and i found a solution to my first use case, but i can't get it working for my second one also its the first time doing something with ruby, so maybe i missing something

its about the AWS SES log events for bounced emails, here is the snipped:

 "bounce": {
      "timestamp": "2020-07-09T10:06:09.000Z",
      "bouncedRecipients": [
        {
          "action": "failed",
          "diagnosticCode": "smtp;550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient test@test.com not found by SMTP address lookup",
          "status": "5.1.10",
          "emailAddress": "test@test.com"
        }
      ]
  }

so i want to get all 4 fields and move it to bounce instead of bounce.bouncedRecipients

my filter right now is not working, i was thinking that i can just output the key + value of each entry of the array, but i only getting "key" and no "value" from this filter:

ruby {
    code => "event.get('[bounce][bouncedRecipients]').each {|hash| event.set('[bounce][' + hash[key] + ']', hash[value]) }"
}

i was also trying to get a hash.each but...ahm yea, maybe i was reading and talking to much about ruby and can't see the obvious solution

Thanks in advance for reading and hopefully also helping

Cheers

Jenni · July 13, 2020, 8:55am

The problem with your code is that it assumes that your entries in [bounce][bouncedRecipients] are structured like { "key": "action", "value" : "failed"}. But they aren't. They are just string values in a Hash.

ruby {
  code => "
    event.get('[bounce][bouncedRecipients]').each { |key, value|
      event.set('[bounce][' + key + ']', value)
    }
    event.remove('[bounce][bouncedRecipients]')
  "
}

lueneburger · July 13, 2020, 10:58am

Hi Jenni,

thanks for the help, now i getting a error in the logstash logs

Ruby exception occurred: no implicit conversion of Hash into String

already lookinf for it, but maybe you or someelse is faster

thanks in advance

Jenni · July 13, 2020, 11:01am

Sorry. I didn't see that bouncedRecipients is not a Hash, but an array with one entry. Your fields are in [bounce][bouncedRecipients][0].

lueneburger · July 13, 2020, 11:06am

awesome, it's working.

Thank you Jenni

cheers

system · August 10, 2020, 11:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.