Parsing an array of KV pairs

Ash_Powell · January 24, 2019, 12:01pm

I am trying to parse some new data through Logstash, it comes through as an array of KV pairs
"custom.fields": [
{
"Field_A": "Value A"
},
{
"Field_B": "Value B"
},
{
"Field_C": "Value C"
},
{
"Field_D": "Value D"
},
{
"Field_E": "Value E"
}
]

I want to parse it within the same document so that when I index it to Elasticsearch it comes out as;
"Field_A": "Value A"
"Field_B": "Value B"

etc

We have been looking and I don't think any of the built in Plugins will cover this, and our attempts at Ruby haven't been working;
event.get('[custom][fields]').each do |i|
event.get(i).each {|k,v|
event.set('[custom_fields][' + k + ']', v)
}
end

Badger · January 24, 2019, 1:49pm

You are close...

        code => "
            event.get('[custom.fields]').each { |i|
                i.each {|k,v|
                    event.set('[custom_fields][' + k + ']', v)
                }
            }
        "

Do not use a dot in a field name. It works right up to the point where it stops working.

system · February 21, 2019, 1:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.