Want to remove filed who change his position from json response

hi i need help
i got this error on logstash
<LogStash::Event:0x264d46cf>], :response=>{"index"=>{"_index"=>"shodan_data_ip_history", "_type"=>"_doc", "_id"=>"sy7ef3IBfJwC4yBc10gf", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [data.ssl.cert.serial] of type [long] in document with id 'sy7ef3IBfJwC4yBc10gf'. Preview of field's value: '272721470987025980360415388385100183350393'", "caused_by"=>{"type"=>"json_parse_exception", "reason"=>"Numeric value (272721470987025980360415388385100183350393) out of range of long (-9223372036854775808 - 9223372036854775807)\n

i heared that the solution is to remove that field , but the probleme is that field came in many positions like this

[data][0][ssl][cert][serial]
sometimes[data][1][ssl][cert][serial]
..
..
..
sometimes .... [data][12][ssl][cert][serial]
..
..
how can remove it in a generic way
thanks

You would have to use a ruby filter. Something like this.

1 Like

thanks for replying ... you helped find the solution

here is the solution

ruby {
code => '
volumesArray = event.get("data")
if volumesArray
newVolumesArray = [ ]
volumesArray.each { |x|
x.delete("ssl")
newVolumesArray << x
}
event.set("data", newVolumesArray)
end
'
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.