With LS 6.1 you have two styles of creating a ruby filter.
- The old style using
code => '...' - New style using an external file that is more powerful and can include tests!
I'm guessing that you want the old style.
input {
generator {
message => '{"identifiers": [{ "name": "ENCODED_RECIPIENT_ID", "value": "LTMxNjcxMTc4NjQS1", "isOriginal": false }, { "name": "ENCODED_RECIPIENT_ID", "value": "LTMxNjcxODA5NzQS1", "isOriginal": true }, { "name": "contactId", "value": "-3167117864", "isOriginal": false }, { "name": "contactId", "value": "-3167180974", "isOriginal": true }]}'
count => 1
}
}
filter {
json {
source => "message"
}
if "_jsonparsefailure" not in [tags] {
ruby {
code => '
elements = event.get("[identifiers]")
if elements.is_a?(Array)
event.set("[identifiers]", elements.reject{|ele| !ele["isOriginal"]})
end
'
}
}
}
output {
stdout {
codec => rubydebug
}
}
Result:
{
"identifiers" => [
[0] {
"value" => "LTMxNjcxODA5NzQS1",
"isOriginal" => true,
"name" => "ENCODED_RECIPIENT_ID"
},
[1] {
"value" => "-3167180974",
"isOriginal" => true,
"name" => "contactId"
}
],
"@version" => "1",
"host" => "Elastics-MacBook-Pro.local",
"message" => "{\"identifiers\": [{ \"name\": \"ENCODED_RECIPIENT_ID\", \"value\": \"LTMxNjcxMTc4NjQS1\", \"isOriginal\": false }, { \"name\": \"ENCODED_RECIPIENT_ID\", \"value\": \"LTMxNjcxODA5NzQS1\", \"isOriginal\": true }, { \"name\": \"contactId\", \"value\": \"-3167117864\", \"isOriginal\": false }, { \"name\": \"contactId\", \"value\": \"-3167180974\", \"isOriginal\": true }]}",
"@timestamp" => 2018-01-11T17:09:01.267Z,
"sequence" => 0
}