Parsing JSON Array In Event

wwalker · March 23, 2023, 8:18pm

I am using the jdbc_streaming filter to pull additional data for an event from a database, the result looks like below. Any ideas on how I could have this parsed out so that I don't lose any of the data and keep it all contained within a single event?

[
  {
    "integeranswer": null,
    "dropdownid": 47,
    "questionid": 59,
    "dateanswer": null,
    "textareaanswer": null,
    "decimalanswer": null,
    "booleananswer": null
  },
  {
    "integeranswer": null,
    "dropdownid": null,
    "questionid": 109,
    "dateanswer": null,
    "textareaanswer": null,
    "decimalanswer": null,
    "booleananswer": false
  }
]

If possible, I'd want to it to be...objectified(?) to have this sort of field structure in the event:

question.59.integeranswer: null
question.59.dropdownid: 47
question.59.dateanswer: null
question.59.textareaanswer: null
question.59.decimalanswer: null
question.59.booleananswer: null

question.109.integeranswer: null
question.109.dropdownid: null
question.109.dateanswer: null
question.109.textareaanswer: null
question.109.decimalanswer: null
question.109.booleananswer: null

Badger · March 23, 2023, 10:39pm

Do you want stops in the fieldnames or do you want something like

{ "question": { "59" : { "integeranswer": ...

wwalker · March 24, 2023, 2:25pm

I believe what you gave is what I'm looking for.

{
	"question": {
		"59": {
			"integeranswer": "null",
			"dropdownid": "null",
			"dateanswer": "null",
			"textareaanswer": "null",
			"decimalanswer": "null",
			"booleananswer": "null"
		}
	}
}

Badger · March 24, 2023, 4:11pm

You will need to use ruby. Try

    ruby {
        code => '
            begin
                a = event.get("fieldThatHasAnArrayOfHashes")
                a.each { |x|
                    if x["questionid"]
                        fieldname = "[question][" + x["questionid"].to_s + "]"
                        x.delete("questionid")
                        event.set(fieldname, x)
                    end
                }
            rescue
            end
        '
    }

wwalker · March 24, 2023, 5:00pm

Well that did something, but not quite what is intended, lol

I did this:

ruby {
        code => '
            begin
                a = event.get("question")
                a.each { |x|
                    if x["questionid"]
                        fieldname = "[question][" + x["questionid"].to_s + "]"
                        x.delete("questionid")
                        event.set(fieldname, x)
                    end
                }
            rescue
            end
        '
    }

and this is a partial return of what came out:

question: [
  {
      "integeranswer": null,
      "dropdownid": null,
      "questionid": 222,
      "textanswer": null,
      "textareaanswer": null,
      "decimalanswer": null,
      "booleananswer": true
    },
    {
      "integeranswer": null,
      "dropdownid": null,
      "questionid": 223,
      "textanswer": null,
      "textareaanswer": null,
      "decimalanswer": null,
      "booleananswer": null
    },
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
     - ,
    {
      "integeranswer": null,
      "dropdownid": 1,
      "textanswer": null,
      "textareaanswer": null,
      "decimalanswer": null,
      "booleananswer": null
    },
    {
      "integeranswer": null,
      "dropdownid": null,
      "textanswer": null,
      "textareaanswer": null,
      "decimalanswer": null,
      "booleananswer": false
    },
    {
    "integeranswer": null,
    "dropdownid": null,
    "textanswer": null,
    "textareaanswer": null,
    "decimalanswer": null,
    "booleananswer": null
  }
]

Badger · March 24, 2023, 5:43pm

Don't modify a field whilst iterating over it.

    ruby {
        code => '
            begin
                a = event.get("question")
                a.each { |x|
                    if x["questionid"]
                        fieldname = "[newQuestion][" + x["questionid"].to_s + "]"
                        x.delete("questionid")
                        event.set(fieldname, x)
                    end
                }
            rescue
            end
        '
    }
    mutate { rename => { "newQuestion" => "question" } }

wwalker · March 24, 2023, 6:41pm

Fantastic, that worked! One last question/request, is there a way to exclude the field if the value is null?

wwalker · March 24, 2023, 9:33pm

I tried adding the below just after what you provided above, but it doesn't seem to work. I've tried v == "" and v == nil, neither seems to work.

      ruby {
        code => '
          event.to_hash.each { |k, v|
            if v.kind_of? String
              if v == nil
                event.remove(k)
              end
            end
          }
        '
      }

Badger · March 24, 2023, 9:39pm

If you use

 ruby {
        code => '
            begin
                a = event.get("question")
                a.each { |x|
                    if x["questionid"]
                        fieldname = "[newQuestion][" + x["questionid"].to_s + "]"

                        h = {}
                        x.each { |k, v|
                            if v
                                unless k == "questionid"
                                    h[k] = v
                                end
                            end
                        }
                        event.set(fieldname, h)
                    end
                }
            rescue
            end
        '
    }
    mutate { rename => { "newQuestion" => "question" } }

then you will get

  "question" => {
    "109" => {},
     "59" => {
        "dropdownid" => 47
    }
},

wwalker · March 24, 2023, 9:54pm

That did it, as always, thanks for the assist @Badger

system · April 21, 2023, 9:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.