Move all fields to a subfield?

sliddjur · March 29, 2020, 2:51pm

I want to move all my fields to a specified subfield. However, I don't know all the field names.

Alternatively if there is a way for grok filter to set the target field or similar?

I found an old post that did this, which crashed my logstash (v7.6)

    ruby {
        code => "
            event['new_val'].each {|k,v|
                event[k] = v
                }
            }
            event.remove('new_val')
        "
    }

Badger · March 29, 2020, 3:31pm

Referring to the event as a hash was disabled years ago, you need to use the event API, like this.

sliddjur · March 30, 2020, 10:29am

For future reference, this was what I was looking for:

    ruby {
        code => '
            event.to_hash.each { |k, v|
                event.set("[field][" . k . "]" , v)
            }
        '
    }

But what was even better, is that I found out that the new grok-filter version 4.3.0 does indeed come with a target option, which is essentially what I actually wanted.

system · April 27, 2020, 10:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to nest all fields in an event under a new field in logstash? Logstash	2	753	November 26, 2019
Logstash move subfield to top field Logstash	7	732	September 7, 2020
How to iterate over all fields with new Event API Logstash	2	2509	January 17, 2018
Ruby filter loop through fields in logstash 5? Logstash	3	3246	February 17, 2017
How to remove subfield using ruby Logstash	5	5659	January 2, 2017

Move all fields to a subfield?

Related topics