Renaming multiple fields that are nested

I need help renaming multiple fields that are nested, here is my problem, I can only rename "did" within example.devices but when I attempt to rename others I would assume it's the same pattern but the results are what is below

Example of results of the filter:

"example.devices" => [
        [0] {
                                  "subnet" => "1234",
                                     "mac" => 1234,
                              "identifier" => "1234",
                                      "ip" => "1234",
                                "hostname" => "1234",
            "example.devices.did" => 1234,
                                     "sid" => 1234
        }

here is my filter:

filter{
 json {
     source => "[_source][message]"
     target => "parsed_message" 
  }
mutate{ 
      rename => {
      parsed_message" => "[example.parsed_message]"
      "somethingDevices" => "example.devices"
          "[example.devices][0][did]" => "[example.devices][0].[example.devices.did]" 
          "[example.devices][0][ip]" => "[example.devices][0][ip_TESTING]" 
  }
 }
}

You are making assumptions about the order of execution. You are trying to create [example.devices] in the same mutate in which you modify it. Some of the modifies may happen before it is created, in which case they will be no-ops. Split it into two mutate filters.

thanks badger for the help! I didn't know any better how rename works as I was stuffing it all in one rather than modulating it, I thought it hit the limit or something but it was what you mentioned.

it worked splitting it up, I did see your other post previously regarding renaming using ruby for every k value. Would this approach also be another way to solve what I wanted?

here is the post: Renaming nested fields

I would not use ruby unless you have to. If [example.devices] has a variable number of entries in the array then ruby would be required.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.