Whitelist nested field

Hi everyone,

i plan to whitelist some fields, but they are nested field. i already tried prune to whitelist them and it didn't work. for example:

Request Body : {"tipe":"FF","nama":"ABC","nik":"","handphone":"00012","email":"","channelId":"7777","clientId":"1234"}

if i want to whitelist only channelId and clientId, how do i do that? Thanks

How does it look in LS?
If is nested like:
"Request Body" : {"tipe":"FF","nama":"ABC","nik":"","handphone":"00012","email":"","channelId":"7777","clientId":"1234"}
then should be like this:
["Request Body"]["tipe"]
["Request Body"]["nama"]
...
If are not nested, then is simple just "tipe"

oh, sorry i forget to tell you that i have a json filter like this:

json{
source => "requestBody"
target => "requestBody"
skip_on_invalid_json => true
}

i tried using prune like this before but it didn't work:
[requestBody][channelId], [requestBody][clientId]

is "" inside the bracket will take effect?

Should be like this: [requestBody][channelId]
If is still not working, check in ruby debugger, you might have an array like this [requestBody][0][channelId]

A prune filter only operates on top-level fields, it cannot whitelist or blacklist nested fields.

As workaround, then you can copy white list fields in another fields, and remove requestBody

mutate { remove_field => ["requestBody"] }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.