When you run a JMS query you get the [value] hash, which has multiple entries where the key is the object name and the value is a hash of data.
JMS object names are complicated. It may seem like the only thing you care about is the destinationName, but I would retain everything in case that changes. To do this I would split [value] so that each response is a separate document. Then I parse the object name into several fields in that document. If [value][subtype] is always configuration in your use case you lose very little by retaining it, and if it varies then you lose a lot by deleting it.
If you use
# Put the full object name inside the object details
ruby {
code => '
data = event.get("value")
newData = []
data.each { |k, v|
v["fullName"] = k
newData << v
}
event.set("value", newData)
'
}
# Have one object name per event
split { field => "value" }
# Get the various parts of the object name into the object details
mutate { rename => { "[value][fullName]" => "[@metadata][fullName]" } }
mutate {
split => { "[@metadata][fullName]" => ":" }
add_field => { "[value][serverName]" => "%{[@metadata][fullName][0]}" }
}
kv { field_split => "," source => "[@metadata][fullName][1]" target => "[@metadata][value]" }
mutate { merge => { "[value]" => "[@metadata][value]" } }
you will end up with events like
"request" => {
"mbean" => "com.softwareag.um.server:brokerName=umserver,destinationName=*,destinationType=Topic,subtype=*,type=Broker",
"type" => "read"
},
"timestamp" => 1730263910,
"value" => {
"MultiFileEventsPerSpindle" => 50000,
"UsesMergeEngine" => false,
"AbsolutePath" => "/wm/is/wm/prt/dispatch/Signal",
"StoreType" => "Mixed",
"brokerName" => "umserver",
"destinationType" => "Topic",
"serverName" => "com.softwareag.um.server",
etc. etc.