Ruby Code to split key value pair in Logstash 6.8.0

Santy · June 15, 2021, 5:16am

json
{
source => "message"
}
split {
field => "data"
	}
date {
  match => ["[data][currentDate]", "yyyy-MM-dd HH:mm:ss"]
  target => "@timestamp"
}
ruby {
          code => "
          event['data'].each {|k, v|
          event[k] = v
          }
          event.remove('data')
        "
      }

This was used earlier in logstash 1.5 to split key value pair from a field called "data". Currently we need to migrate to logstash 6.8.0, Could someone help me for this?

Currently i'm using the below ruby code, it is not working properly

ruby {
code => "
event.get('data').each {|k, v|
event.set(k, v)
}
event.remove('data')
"
}

Example of data field is:
{"data":[{"key1":"value1","key2":"value2","key3":"value3", etc}]} Like this the log has key: value more than 20

Badger · June 15, 2021, 2:20pm

That shows data is an array, so the .each will return the hash, not the key value pairs. You could try event.get('[data][0]').each

Santy · June 16, 2021, 10:35am

ruby {
code => "
event.get('[data][0]').each {|k, v|
event.set(k, v)
}
event.remove('data')
"
}

Hi @Badger , i tried the above one and getting logs with _rubyexception
in nohup file i'm getting this

Ruby exception occurred: undefined method `each' for nil:NilClass

Also i came to know that we are receiving logs like this also

{"data":[{"key1":"value1","key2":"value2","key3":"value3", etc}, {}, {"key1":"value1","key2":"value2","key3":"value3", etc}]}

Badger · June 16, 2021, 4:28pm

That is telling you that [data][0] does not exist. If it is not present on all events then you could try changing

event.get('[data][0]').each {|k, v|
    event.set(k, v)
}
event.remove('data')

to

d = event.get('[data][0]')
if d
    d.each {|k, v|
        event.set(k, v)
    }
    event.remove('data')
end

Santy · June 18, 2021, 5:13am

ruby {
code => "
d = event.get('[data]')
if d
    d.each {|k, v|
        event.set(k, v)
    }
    event.remove('data')
end
"
}

Thanks @Badger This one is working fine, anyway to avoid empty '{}' log i have dropped it from LS itself.

system · July 16, 2021, 5:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split array fields in logstash Logstash	22	10534	June 7, 2017
Splitting multiple arrays in Logstash to create multi events Logstash	4	1727	July 29, 2019
Extract specific fields from Json using Logstash Logstash	4	4528	October 7, 2019
Digging values out of embedded hashes Logstash	5	550	February 27, 2018
Working with key:value arrays Logstash	5	1279	October 8, 2021

Ruby Code to split key value pair in Logstash 6.8.0

Related topics