Hello there,
Giving this event :
{
field_name : "foo"
nested: {
foo: "bar"
}
}
Is there a way with a mutate filter (or another solution) to transform it to :
{
field_name : "foo"
nested: {
foo: "bar"
}
new_field: "bar"
}
Obviously the foo property is dynamic, and that's what is causing me a headache. I tried with rename and add_field, but didn't achieve my goal.
I found a working solution using ruby code.
/usr/share/logstash/dynamic_field_rename.rb
def register(params)
@from_field = params["from_field"]
@path_in = params["path_in"]
@set_field = params["set_field"]
end
def filter(event)
path = event.get(@path_in)
value = event.get(@from_field+path)
event.set(@set_field, value)
return [event]
end
test "dynamic rename" do
parameters do
{
"from_field" => "[nested]",
"path_in" => "[field_name]",
"set_field" => "baz"
}
end
in_event { { "field_name" => "[foo]", "nested" => { "foo" => "hello" } } }
expect("add field") do |events|
events[0].get("baz") == "hello"
end
end
/usr/share/logstash/pipeline/logstash.conf
...
filter {
ruby {
path => "/usr/share/logstash/dynamic_field_rename.rb"
script_params => {
"from_field" => "[nested]"
"path_in" => "[field_name]"
"set_field" => "baz"
}
}
}
I'am open to better solutions using built-in plugins like mutate if it exists.
I think a ruby filter is the only way to do this.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.