Ruby Code to split key value pair in Logstash 6.8.0

Santy · June 15, 2021, 5:16am

json
{
source => "message"
}
split {
field => "data"
	}
date {
  match => ["[data][currentDate]", "yyyy-MM-dd HH:mm:ss"]
  target => "@timestamp"
}
ruby {
          code => "
          event['data'].each {|k, v|
          event[k] = v
          }
          event.remove('data')
        "
      }

This was used earlier in logstash 1.5 to split key value pair from a field called "data". Currently we need to migrate to logstash 6.8.0, Could someone help me for this?

Currently i'm using the below ruby code, it is not working properly

ruby {
code => "
event.get('data').each {|k, v|
event.set(k, v)
}
event.remove('data')
"
}

Example of data field is:
{"data":[{"key1":"value1","key2":"value2","key3":"value3", etc}]} Like this the log has key: value more than 20

Badger · June 15, 2021, 2:20pm

That shows data is an array, so the .each will return the hash, not the key value pairs. You could try event.get('[data][0]').each

Santy · June 16, 2021, 10:35am

ruby {
code => "
event.get('[data][0]').each {|k, v|
event.set(k, v)
}
event.remove('data')
"
}

Hi @Badger , i tried the above one and getting logs with _rubyexception
in nohup file i'm getting this

Ruby exception occurred: undefined method `each' for nil:NilClass

Also i came to know that we are receiving logs like this also

{"data":[{"key1":"value1","key2":"value2","key3":"value3", etc}, {}, {"key1":"value1","key2":"value2","key3":"value3", etc}]}

Badger · June 16, 2021, 4:28pm

That is telling you that [data][0] does not exist. If it is not present on all events then you could try changing

event.get('[data][0]').each {|k, v|
    event.set(k, v)
}
event.remove('data')

to

d = event.get('[data][0]')
if d
    d.each {|k, v|
        event.set(k, v)
    }
    event.remove('data')
end

Santy · June 18, 2021, 5:13am

ruby {
code => "
d = event.get('[data]')
if d
    d.each {|k, v|
        event.set(k, v)
    }
    event.remove('data')
end
"
}

Thanks @Badger This one is working fine, anyway to avoid empty '{}' log i have dropped it from LS itself.

system · July 16, 2021, 5:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split array fields in logstash Logstash	22	10529	June 7, 2017
Extract specific fields from Json using Logstash Logstash	4	4521	October 7, 2019
Working with key:value arrays Logstash	5	1270	October 8, 2021
Split string into array and then into key value pairs Logstash	3	1894	March 18, 2021
Split array with key+value fields to key: value - Follow up Logstash	3	1011	August 17, 2020

Ruby Code to split key value pair in Logstash 6.8.0

Related Topics