I'm receiving some data, and one of the fields is dynamically named with a number. So it can come out as field_1 or field_28 within a hash.
This is inside of an array, which is inside of a hash.
So, for example, the raw message coming across looks like this:
{"header_field":"data","header_offset":"1234", "docs":[{"field_1":"date","doctype":"mystring"}]}, which means field_1 is a hash entry at array index 0 inside of the main hash.
I want to rename the dynamic field name to something standard, say field_date. This will make it a lot easier on the Elastic side.
I've looked around and tried different examples, notably this one, but I cannot get it to work.
Here is what I have so far. I've gotta be missing some small detail.
ruby {
code => '
event.get("docs").each do |k|
keys = k.keys
keys.each do |key|
if ( key =~ /field_[0-9]+/ )
k.delete(key)
end
end
end
'
}
This does not work though. I can print the keys and see them all, so I know I'm at least accessing them. But I cannot seem to delete one, or to copy and paste its value into a new variable and then delete.