New operation for the mutate filter?

Elastic Stack Logstash
1

I often find myself using the ruby filter below in order to "move" a sub-structure at the root level in order to use it as the main event.

  ruby {
     code => "
        event.to_hash.delete_if {|k, v| k != 'payload'}
        event.to_hash.update(event.get('payload').to_hash)
        event.to_hash.delete_if {|k, v| k == 'payload'}
     "
  }

Disclaimer: I'm a Ruby noob, so I'm pretty sure there's a better way to achieve the exact same thing. Feel free to chime in if you have a better way.

For instance, the raw events I get are of the following form:

{
     "bla": "bla",
     "meh": "meh",
     "payload" : {
          "foo" : "1224",
          "bar" : "woohoo",
          "baz" : 0,
          "timestamp" : 1449356706000
     }
}

And I would like the event to actually be whatever is inside the payload field:

{
     "foo" : "1224",
     "bar" : "woohoo",
     "baz" : 0,
     "timestamp" : 1449356706000
 }

I could create a new filter plugin just for this, but I'm wondering if this operation shouldn't belong to the existing mutate filter. And if yes, how would that operation be called? extract, reify, move, promote, copy ?

I welcome any thoughts on this.

2

I ended up adding a new "copy" operation to the mutate filter.

The feature request is described here:

The pull request is available here:

1 Like
3

Fantastic idea and PR :smiley:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.