Split array with key+value fields to key: value - Follow up

Hello,

I am trying to convert this input

{    
    "request": {
      "time": "2020-04-30T07:32:13.997Z",
      "size": "0",
      "headers": [
        {
          "key": "Correlation-Id",
          "value": "124f4cdf-6cd7-44ae-a8dc-2ecf2b187f42"
        },
        {
          "key": "host",
          "value": "api.local.host"
        },
        {
          "key": "x-forwarded-for",
          "value": "1.1.1.1"
        },
        {
          "key": "x-forwarded-port",
          "value": "443"
        },
        {
          "key": "x-forwarded-proto",
          "value": "https"
        }
      ],
      "httpMethod": "GET",
      "httpSchema": "https"
  }
}

into

     {    
         "request": {
           "time": "2020-04-30T07:32:13.997Z",
           "size": "0",
           "headers": {
     				"Correlation-Id": "124f4cdf-6cd7-44ae-a8dc-2ecf2b187f42",
     				"host": "api.local.host",
     				"x-forwarded-for": "1.1.1.1",
     				"x-forwarded-port": "443",
     				"x-forwarded-proto": "https"
             },
           "httpMethod": "GET",
           "httpSchema": "https"
       }
     }

I have tried to inspirate by Splitting Array and others but using following filter:

    filter {

     json {
       source => "message"
       remove_field => ["message"]
     }

            ruby {
    		        #code => "event.get('[request][headers]').each {|hash| event.set(hash['key'], hash['value']) }"
    		        code => "event.get('[request][headers]').each {|hash| event.set('[request][headers][' + hash['key'] + ']', hash['value']) }"
            }
    }

I am getting this:

   "request" => {
       "headers" => [
        [0] {
            "value" => "124f4cdf-6cd7-44ae-a8dc-2ecf2b187f42",
              "key" => "Correlation-Id"
        },
        [1] {
            "value" => "api.local.host",
              "key" => "host"
        },
        [2] {
            "value" => "1.1.1.1",
              "key" => "x-forwarded-for"
        },
        [3] {
            "value" => "443",
              "key" => "x-forwarded-port"
        },
        [4] {
            "value" => "https",
              "key" => "x-forwarded-proto"
        }
    ],

Any idea what I am doing wrong?

headers is an array, but you are treating it like a hash. That's probably causing an error. Try to save the data in a new field first and then exchange the old field for the new one afterwards.

ruby {
  code => "
    event.get('[request][headers]').each do |item|
        event.set('[headers_transformed]['+item['key']+']', item['value'])
   end
 "
}
mutate {
  rename => { "headers_transformed" => "[request][headers]" }
}
1 Like

Thank you so much Jenni!

It works perfectly!

Thank you again!

Reddy

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.