Test field type with ruby filter and rename the field

I have a field "identity" that is mapped as a keyword, but some logs received have the field as an object. How do I rename the field? I tried the below config but got a syntax error, unexpected tCONSTANT. Please advise.

		ruby {
			code => '
				if event.include? "[identity]" && event.get("[identity]").is_a? Array
					add_field => {"identity_o" => "[identity]"}
					remove_field => ["[identity]"]
				end
			'
		}

Try this

if event.get("[identity]").is_a? Array
    event.set("identity_o", event.remove("[identity]"))
end

It does not work. I still the below error.

[2022-07-04T16:54:39,081][WARN ][logstash.outputs.elasticsearch][filebeat-o365-azure-audit][67d6936fe83ac608b878b54fe70993481d0a26b89910cdf3f37714b41e458e2d] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index=>"azure-8.2.2", :routing=>nil}, {"tags"=>["forwarded", "beats_input_codec_plain_applied"], "durationMs"=>0, "service"=>{"type"=>"azure"}, "resourceId"=>"/SUBSCRIPTIONS/00C4C5C8-A714-49E6-9075-C4D8EEFD9997/RESOURCEGROUPS/KIKCMG/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/KIKCMG", "ecs"=>{"version"=>"1.12.0"}, "category"=>"Action", "operationName"=>"MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION", "time"=>"2022-07-04T20:45:22.4974425Z", "ReleaseVersion"=>"6.2022.23.6+154fec2.release_2022w23", "tenantId"=>"68338bb1-12c8-4896-80d3-85275752f372", "agent"=>{"version"=>"8.2.2", "id"=>"18183cff-aa29-4f15-a882-7ef330c04ee4", "type"=>"filebeat", "ephemeral_id"=>"a95fc364-4def-4bc8-852c-1c2e7717c7ef"}, "correlationId"=>"aba80d4c-e594-4699-9b26-595f92cc0572", "level"=>"Information", "event"=>{"dataset"=>"azure.signinlogs", "module"=>"azure"}, "fileset"=>{"name"=>"signinlogs"}, "@timestamp"=>2022-07-04T20:45:22.497Z, "resultSignature"=>"Started.", "input"=>{"type"=>"azure-eventhub"}, "identity"=>{"claims"=>{"aio"=>"E2ZgYGiqtY2pS81Zkeayxu+NZykPAA==", "appidacr"=>"1", "xms_tcdt"=>"1496936377", "appid"=>"cca5bcb7-275c-441a-a81b-80a20df0c9c5", "http://schemas.microsoft.com/identity/claims/tenantid"=>"68338bb1-12c8-4896-80d3-85275752f372", "iat"=>"1656967222", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"=>"765b7b75-fd32-4ed2-8b58-259551d146b1", "iss"=>"https://sts.windows.net/68338bb1-12c8-4896-80d3-85275752f372/", "uti"=>"taJV3wdxfkmETNPgViAjAA", "nbf"=>"1656967222", "exp"=>"1656971122", "http://schemas.microsoft.com/identity/claims/objectidentifier"=>"765b7b75-fd32-4ed2-8b58-259551d146b1", "rh"=>"0.ASkAsYszaMgSlkiA04UnV1LzckZIf3kAutdPukPawfj2MBMpAAA.", "idtyp"=>"app", "aud"=>"https://management.azure.com", "ver"=>"1.0", "http://schemas.microsoft.com/identity/claims/identityprovider"=>"https://sts.windows.net/68338bb1-12c8-4896-80d3-85275752f372/"}, "authorization"=>{"evidence"=>{"principalId"=>"765b7b75fd324ed28b58259551d146b1", "principalType"=>"ServicePrincipal", "role"=>"Contributor", "roleAssignmentId"=>"cbc2fe4a8d5947929d4f60c655ea158b", "roleAssignmentScope"=>"/subscriptions/00c4c5c8-a714-49e6-9075-c4d8eefd9997/resourcegroups/kikcmg", "roleDefinitionId"=>"b24988ac618042a0ab8820f7382dd24c"}, "action"=>"Microsoft.Storage/storageAccounts/listKeys/action", "scope"=>"/subscriptions/00c4c5c8-a714-49e6-9075-c4d8eefd9997/resourcegroups/kikcmg/providers/Microsoft.Storage/storageAccounts/kikcmg"}}, "resultType"=>"Start", "callerIpAddress"=>"184.94.104.196", "@version"=>"1", "azure"=>{"consumer_group"=>"$Default", "offset"=>558374281864, "sequence_number"=>695170, "enqueued_time"=>"2022-07-04T20:54:38.166Z", "eventhub"=>"insights-operational-logs"}, "properties"=>{"entity"=>"/subscriptions/00c4c5c8-a714-49e6-9075-c4d8eefd9997/resourcegroups/kikcmg/providers/Microsoft.Storage/storageAccounts/kikcmg", "hierarchy"=>"68338bb1-12c8-4896-80d3-85275752f372/00c4c5c8-a714-49e6-9075-c4d8eefd9997", "eventCategory"=>"Administrative", "message"=>"Microsoft.Storage/storageAccounts/listKeys/action"}, "location"=>"global"}], :response=>{"create"=>{"_index"=>".ds-azure-8.2.2-2022.07.04-000001", "_id"=>"8m7-yoEBFgm0oiZXZr3f", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [identity] of type [keyword] in document with id '8m7-yoEBFgm0oiZXZr3f'. Preview of field's value: '{authorization={evidence={roleAssignmentScope=/subscriptions/00c4c5c8-a714-49e6-9075-c4d8eefd9997/resourcegroups/kikcmg, role=Contributor, roleDefinitionId=b24988ac618042a0ab8820f7382dd24c, roleAssignmentId=cbc2fe4a8d5947929d4f60c655ea158b, principalId=765b7b75fd324ed28b58259551d146b1, principalType=ServicePrincipal}, scope=/subscriptions/00c4c5c8-a714-49e6-9075-c4d8eefd9997/resourcegroups/kikcmg/providers/Microsoft.Storage/storageAccounts/kikcmg, action=Microsoft.Storage/storageAccounts/listKeys/action}, claims={xms_tcdt=1496936377, ver=1.0, aio=E2ZgYGiqtY2pS81Zkeayxu+NZykPAA==, idtyp=app, iss=https://sts.windows.net/68338bb1-12c8-4896-80d3-85275752f372/, uti=taJV3wdxfkmETNPgViAjAA, aud=https://management.azure.com, nbf=1656967222, appidacr=1, http://schemas={microsoft={com/identity/claims/identityprovider=https://sts.windows.net/68338bb1-12c8-4896-80d3-85275752f372/}}, rh=0.ASkAsYszaMgSlkiA04UnV1LzckZIf3kAutdPukPawfj2MBMpAAA., appid=cca5bcb7-275c-441a-a81b-80a20df0c9c5, exp=1656971122, iat=1656967222}}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:969"}}}}}

[identity] is not an Array, it is a Hash. You could try with

if event.get("[identity]").is_a? Hash

or even

if ! event.get("[identity]").is_a? String
1 Like

It works. Thank you very much.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.