Replace dots in field names for ES 2.0

juerkan · October 14, 2015, 6:55pm

Dear logstash pro's
We produce logs and we use logstash to bring it into elasticsearch.
There hundrets of dynamic produced field names with a dot inside. (not nestet fields)
And we have field names with no dots.
for example:
originator.id1 = 27
caseid = 1235
originator.res1 =346
originator.case142 = 341
is there a way in logstash to replace a dot in a field name dynamicly.
something like:
If in the field name is a dot, replace it with a under score.
output should be:
originator_id1 = 27
caseid = 1235
originator_res1 =346
originator_case142 = 341

i played with the gsub filter plugin, but without success
help me out, please

juerkan · October 14, 2015, 7:20pm

i forget:
a field name can consist more than one dot.
for example:
mass.originator.2.type

thx

magnusbaeck · October 14, 2015, 7:23pm

The mutate filter's gsub option works on field values, not field names. You need to use the ruby filter for this and write some custom Ruby code.

juerkan · October 28, 2015, 1:36pm

Hi, many thanks for your advice,
I tried...... but, i'm not a ruby ninja

Is there someone out there, who can help me with this ruby code

i think other people will have the same problem (dots in field names) with ES2.0

thank you and greetings from austria