As the documentation says, prune only operates on top-level fields, so you cannot use it on fields inside [response][result].
Your message is not valid JSON. If I change it to be valid then I can do this:
input { generator { count => 1 lines => [ '{"recode":"VZ##","response-code":"4000","response":{"result":[{"DetailsPageURL":"foo","idsource":"0","Attribute":[{"DISPLAYNAME":"Tiempo de respuesta server oasu","Value":"2305"}]}]}}' ] } }
filter {
json { source => "message" remove_field => [ "message" ] }
mutate {
add_field => {
"DISPLAYNAME" => "%{[response][result][0][Attribute][0][DISPLAYNAME]}"
"Value" => "%{[response][result][0][Attribute][0][Value]}"
}
remove_field => [ "response" ]
}
}
output { stdout { codec => rubydebug { metadata => false } } }
which produces
"response-code" => "4000",
"Value" => "2305",
"recode" => "VZ##",
"DISPLAYNAME" => "Tiempo de respuesta server oasu"
You may want to replace the remove_field with a prune using whitelist_names.
If you want to keep those two fields in place then you would need a custom ruby filter. I do not think there is a generic solution to do it that way.