Need to parse field name via logstash

Elastic Stack Logstash
1

Hi,
I need to parse the field in the following input JSON via Logstash.

INPUT

{

	"xyz": {
		"http://com.myappliation.com/abc/def/fieldName": "value",
		"id": "hsakjh-uuekjn-kj48ehu,
		"http://com.myappliation.com/abc/defghii/fieldName2": "value",
		"http://com.myappliation.com/abc/defhkjd/fieldName3": "value",
	
	}

}

I need to parse the field name eg : http://com.myappliation.com/abc/defghii/fieldName2 and rename it to fieldName2

The internal JSON xyz is dynamic so I need to Identify whenever the field like this "http://abc/123/ssdf/fieldName2" will come I need to rename that field to the last dir name i.e fieldName2 in this case.

Expected Output :

{
        	"xyz": {
        		"fieldName": "value",
        		"id": "hsakjh-uuekjn-kj48ehu",
        		"fieldName2": "value",
        		"fieldName3": "value"

        	}

        }

I am trying but unable to find the solution till now, also tried to use ruby filter and grok.

Thanks in Advance :slight_smile:

2

I would do it in a ruby filter. I have not tested it, but something like

ruby {
    code => '
          xyz = event.get("xyz")
          if xyz
                newxyz = {}
                xyz.each { |k, v|
                    newk = k.gsub(".*/", "")
                    newxyz[newk] = v
                }
                event.set("xyz", newxyz)
          end
    '
}
3

Hi @Badger ,
I am using this now but that gsub is not working. It is giving me the same output as input. The regex is correct, but idk why the gsub function is not working here.

4

That's what you get for not testing before posting. Change the gsub line to

 newk = k.gsub(/.*\//, "")
5

Oh! I got it .
Thanks.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.