Use ruby filter decode base64 field cannot replace oldfields

I have a k,v pairs, some of them was base64 encoded.
like this

"requestMsg" => {
            "userInfo" => "eyJ1c2VySWQiOiIxNTIyMjY3NTY5NCIsInR5cGUiOiIxIn0=",
              "random" => "462091",
              "originalType" => "1",
              "serial" => "475192",
             "appInfo" => "eyJhcHBJZCI6IjE1NThjN2NkMjgzNWI2Njk2ODE1NmZiZTRkNGZjZGI4ZjZkMWZjM2IiLCJzaWduIjoiNzc5MDkzOTQ2IiwiaGFzaCI6IjE3MGFjNTBjZTNiMDNkNmM0MDdkNzdhYzczNTQ4MDFlIiwic2RrVmVyc2lvbiI6IjEuMCJ9",             
             "devInfo" => "eyJpbWVpIjoiODY2NTkyMDMyMTU1NTMyJjg2NjU5MjAzMjIzMDQxOCIsImVxdWlwbWVudE1vZGVsIjoiU1RGLUFMMTAiLCJjcHVBYmkiOiJhcm1lYWJpLXY3YSIsImNwdUNvdW50Ijo4LCJkZXZfdHlwZSI6IkFuZHJvaWQiLCJwaG9uZV9udW0iOiIiLCJzeXN0ZW1fdmVyc2lvbiI6IjcuMCIsIm1hbnVmYWN0dXJlciI6IkhPTk9SIiwicmlza0luZm8iOnsicm9vdCI6IjAiLCJob29rIjoiMCJ9LCJjb25mVmVyc2lvbiI6IjIwIn0=",
              "header" => "eyJvcCI6InpyYXV0aC5hcHAuYnVzaW5lc3MucmFuZG9tLmRlY3J5cHRpb24iLCJ1cHYiOnsibWFqb3IiOiIzIiwibWlub3IiOiIwIn19",
             "appCode" => "1002",
            "sotpRandom" => "569316"
    }

I want use Ruby plugin to loop the nested k,v pairs and decode the certain fields,Finally, the decoded value all in the right place. like this:

            "requestMsg" => {
            "userInfo" => "{"userId":"15222675694","type":"1"}",
             .....
             .....
              "header" => "{\"op\":\"zrauth.app.business.random.decryption\",\"upv\":{\"major\":\"3\",\"minor\":\"0\"}}",
          "sotpRandom" => "569316"
    }

but I use the ruby code:

ruby {
    init => "require 'base64'"
    code => "
        tobase64fields = ['userInfo','appInfo','devInfo','header']
        fieldArray = event.get('[msg][requestMsg]')
        fieldArray.each{|k,v| if tobase64fields.include?k  then  event.set('[msg][requestMsg][k]', 
Base64.decode64(v)) end }
    "
} 

but it cannot work , it will have the result like this:

"requestMsg" => {
           ......
            "k" => "{\"op\":\"zrauth.app.business.random.decryption\",\"upv\":{\"major\":\"3\",\"minor\":\"0\"}}",
          .......
          .......
    },

the field name is "K"? what's wrong with it ? thx all !

I almostly solved this question, the Ruby code change to this:

ruby {
    init => "require 'base64'"
    code => "
        tobase64fields = ['userInfo','appInfo','devInfo','header']
        fieldArray = event.get('[msg][requestMsg]')
        fieldArray.each{|k,v| if tobase64fields.include?k  then  event.set('[msg][requestMsg]' + k, Base64.decode64(v)) end }
    "
}

the nested field name follows the "+k", it can point the certain fields.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.