A ruby filter can use inline code (the code/init options) or a script in a file (the path option).
With the path option you define a filter method that returns an array of events and it gets called for each event.
With the code/init options you write a lambda that references a variable called event. You use event.get/set/remove etc. to modify it.
You have written code in the first form but invoke it using the second. That will not work. For every event your function will get redefined, but not called.
When using init/code define functions in the init block and call them in the code block.
I would implement this using
kv { source => "message" target => "[@metadata][kvData]" }
if [@metadata][kvData][type] == "EXECVE" {
ruby {
code => '
argc = event.get("[@metadata][kvData][argc]").to_i
command = ""
(0 ... argc).each { |x| command += event.remove("[@metadata][kvData][a#{x}]") + " " }
event.set("command", command.chop)
'
}
}