I often find myself using the ruby filter below in order to "move" a sub-structure at the root level in order to use it as the main event.
ruby {
code => "
event.to_hash.delete_if {|k, v| k != 'payload'}
event.to_hash.update(event.get('payload').to_hash)
event.to_hash.delete_if {|k, v| k == 'payload'}
"
}
Disclaimer: I'm a Ruby noob, so I'm pretty sure there's a better way to achieve the exact same thing. Feel free to chime in if you have a better way.
For instance, the raw events I get are of the following form:
{
"bla": "bla",
"meh": "meh",
"payload" : {
"foo" : "1224",
"bar" : "woohoo",
"baz" : 0,
"timestamp" : 1449356706000
}
}
And I would like the event to actually be whatever is inside the payload field:
{
"foo" : "1224",
"bar" : "woohoo",
"baz" : 0,
"timestamp" : 1449356706000
}
I could create a new filter plugin just for this, but I'm wondering if this operation shouldn't belong to the existing mutate filter. And if yes, how would that operation be called? extract, reify, move, promote, copy ?
I welcome any thoughts on this.
