Thank you so much @Badger that indeed helped a lot! The only problem is that i want to keep the same name of the field and i cant figure out how to do this seamlessly through ruby. Do you know how to do it? The below code works but changing the field using logstash mutate seems kinda idiotic to me.
if [data][aws][httpRequest][headers] {
mutate {
rename => [ "[data][aws][httpRequest][headers]", "[data][aws][httpRequest][headersTemp]"]
}
ruby {
code => '
data = event.get("[data][aws][httpRequest][headersTemp]")
data.each_index { |x|
# remove token from authorization header
if data[x]["name"] == "authorization" || data[x]["name"] == "Authorization" || data[x]["name"] == "X-Mandrill-Signature"
data[x]["value"] = "token hidden"
end
#making the maps in the loop into their own field and capitilizing the name
name = data[x]["name"].split(/ |\_|\-/).map(&:capitalize).join("-")
value = data[x]["value"]
event.set("[data][aws][httpRequest][headers][#{name}]", value)
}
'
}
mutate {
remove_field => [ "[data][aws][httpRequest][headersTemp]" ]
}
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.