Using logstash to denomalize data?

dmarshall · January 19, 2022, 5:06pm

I have data coming in with field names like this:
"field_1" => "10"
"field_2" => "20"

and I'm trying to figure out how to convert it to something more like this:
"field" => [ {"num" => "1", "val" => "10"}, {"num" => "2", "val" => "20"}]

Issue is the source is sending in dozens of these fields, with an index that could theoretically go to 10k on each, so I'd end up with an index with potentially hundreds of thousands of fields.

I got tasked with this by my boss, but I really know next to nothing about logstash. For this, I'm not even sure what I'm looking for - just a function name would be useful so I could google it. :S

Badger · January 19, 2022, 6:16pm

Assuming that they are all top-level fields and the names really do start with "field_" you could try something like

ruby {
    code => '
        fields = []
        event.to_hash.each { |k, v|
            if k =~ /^field_\d+/
                newK = k.sub(/^field_/, "")
                fields << { "num" => newK, "val" => v }
                event.remove(k)
            end
        if fields != []
            event.set("fields", fields)
        end
    '
}

dmarshall · January 19, 2022, 6:28pm

Thanks! I'll give this a shot.

system · February 16, 2022, 6:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
XML Logstash Logstash	2	196	July 25, 2021
Rename field Logstash	3	703	February 21, 2018
Best Way to create nested field Logstash	10	21022	July 6, 2017
Remove part of field name from json inputted fields Logstash	9	3758	July 6, 2017
Wildcards in logstash remove_field Logstash	12	3590	August 14, 2020

Using logstash to denomalize data?

Related Topics