Unpack a list of hashes into new fields

antonisnyc94 · November 24, 2021, 9:39pm

Hello,

I am having a field data.aws.httpRequest.headers , and it has a list of hashes as seen below.

{
  "name": "host",
  "value": "testwebsite.com"
},
{
  "name": "authorization",
  "value": "token hidden"
},
{
  "name": "sec-ch-ua",
  "value": "\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"96\", \"Google Chrome\";v=\"96\""
},
{
  "name": "sec-ch-ua-mobile",
  "value": "?0"
},
....

How can I use ruby to unpack the list into new fields, making the name of each hash in the list an additional field with its value as the value?

e.g data.aws.httpRequest.headers.host: testwebsite.com for the first one and so on?

I would greatly appreciate any help!

Thanks in advance,
Tony

Badger · November 24, 2021, 11:25pm

This post should give you some ideas.

antonisnyc94 · November 25, 2021, 1:59am

Thank you so much @Badger that indeed helped a lot! The only problem is that i want to keep the same name of the field and i cant figure out how to do this seamlessly through ruby. Do you know how to do it? The below code works but changing the field using logstash mutate seems kinda idiotic to me.

                  if [data][aws][httpRequest][headers] {
                    mutate {
                      rename => [ "[data][aws][httpRequest][headers]", "[data][aws][httpRequest][headersTemp]"]
                    }
                    ruby {
                      code => '
                                data = event.get("[data][aws][httpRequest][headersTemp]")
                                data.each_index { |x|

                                    # remove token from authorization header
                                    if data[x]["name"] == "authorization" || data[x]["name"] == "Authorization" || data[x]["name"] == "X-Mandrill-Signature"
                                        data[x]["value"] = "token hidden"
                                    end

                                    #making the maps in the loop into their own field and capitilizing the name
                                    name = data[x]["name"].split(/ |\_|\-/).map(&:capitalize).join("-")
                                    value = data[x]["value"]

                                    event.set("[data][aws][httpRequest][headers][#{name}]", value)
                                }
                                '
                        }

                        mutate {
                        remove_field => [ "[data][aws][httpRequest][headersTemp]" ]
                        }
                        
                      }

Badger · November 25, 2021, 2:16am

In a ruby filter, event.remove deletes a field and also returns its value. So instead of renaming the field you could do

data = event.remove("[data][aws][httpRequest][headers]")

antonisnyc94 · November 25, 2021, 2:39am

Thank youu so much! It's wayyy simpler than expected!

system · December 23, 2021, 2:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issues renaming fields Logstash	1	349	April 15, 2021
Renaming/deleting inner array hash field with ruby Logstash	1	883	November 12, 2018
How to nest all fields in an event under a new field in logstash? Logstash	2	753	November 26, 2019
Put array elements into new fields with logstash filter Logstash	5	832	November 5, 2020
Convert field to an array Logstash	3	554	June 1, 2022

Unpack a list of hashes into new fields

Related topics