Using logstash to denomalize data?

dmarshall · January 19, 2022, 5:06pm

I have data coming in with field names like this:
"field_1" => "10"
"field_2" => "20"

and I'm trying to figure out how to convert it to something more like this:
"field" => [ {"num" => "1", "val" => "10"}, {"num" => "2", "val" => "20"}]

Issue is the source is sending in dozens of these fields, with an index that could theoretically go to 10k on each, so I'd end up with an index with potentially hundreds of thousands of fields.

I got tasked with this by my boss, but I really know next to nothing about logstash. For this, I'm not even sure what I'm looking for - just a function name would be useful so I could google it. :S

Badger · January 19, 2022, 6:16pm

Assuming that they are all top-level fields and the names really do start with "field_" you could try something like

ruby {
    code => '
        fields = []
        event.to_hash.each { |k, v|
            if k =~ /^field_\d+/
                newK = k.sub(/^field_/, "")
                fields << { "num" => newK, "val" => v }
                event.remove(k)
            end
        if fields != []
            event.set("fields", fields)
        end
    '
}

dmarshall · January 19, 2022, 6:28pm

Thanks! I'll give this a shot.

system · February 16, 2022, 6:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
XML Logstash Logstash	2	196	July 25, 2021
Rename field Logstash	3	703	February 21, 2018
Renaming fields wild card logstash Logstash	3	2215	August 6, 2019
Convert netsted array into fields using Logstash Logstash	3	4726	July 31, 2017
7y8ui9o Logstash	2	359	March 22, 2018

Using logstash to denomalize data?

Related topics