Hi @DefensiveDepth, ctx is a Map of maps (and lists, depending on the document), so you can remove keys in place or replace the map entirely. For example:
POST /_ingest/pipeline/_simulate?verbose=true
{
"pipeline": {
"processors": [
{
"script": {
"lang": "painless",
"source": """
Map eventData = ctx['winlog']['event_data'];
Map updatedEventData = new HashMap();
for (String key: eventData.keySet()) {
updatedEventData[key.substring(0,1).toUpperCase() + key.substring(1)] = eventData[key]
}
ctx['winlog']['event_data'] = updatedEventData
"""
}
}
]
},
"docs": [
{
"_source": {
"winlog": {
"event_data": {
"abc": 123,
"def": "hij"
}
}
}
}
]
}
Results:
{
"docs" : [
{
"processor_results" : [
{
"processor_type" : "script",
"status" : "success",
"doc" : {
"_index" : "_index",
"_type" : "_doc",
"_id" : "_id",
"_source" : {
"winlog" : {
"event_data" : {
"Def" : "hij",
"Abc" : 123
}
}
},
"_ingest" : {
"pipeline" : "_simulate_pipeline",
"timestamp" : "2022-01-05T16:02:13.747478961Z"
}
}
}
]
}
]
}