Working with key:value arrays

Badger · September 9, 2021, 9:37pm

Your values contain commas, so a simple mutate+split will incorrectly parse the [message]. Luckily, a kv filter parses it correctly

kv { field_split => "," value_split => ":" trim_key => '"' target => "[@metadata][kvData]" }
    ruby {
        code => '
            kvData = event.get("[@metadata][kvData]")
            if kvData
                data = []
                kvData.each { |k, v|
                    data << { "Field1" => k, "Field2" => v }
                }
                event.set("someField", data)
            end
        '
    }
    split { field => "someField" }

You can move the results to the top level using this code.

I think using a kv filter is fragile, and I would do it in ruby.

    ruby {
        code => '
            matches = event.get("message").scan(/"([^"]*)":"([^"]*)"(,|$)/)
            data = []
            matches.each_index { |x|
                data << { "Field1" => matches[x][0], "Field2" => matches[x][1] }
            }
            event.set("someField", data)
        '
    }
    split { field => "someField" }

Although that regexp may not be any less fragile than the kv filter

Topic		Replies	Views
Split array fields in logstash Logstash	22	10529	June 7, 2017
Array field in event Logstash	6	2693	January 6, 2017
How to handle key value pairs when keys and values are in different fields Logstash	4	107	May 29, 2024
Split string into array and then into key value pairs Logstash	3	1894	March 18, 2021
Flatten the json array into field in filter of logstash Logstash	2	1822	July 11, 2018

Working with key:value arrays

Related Topics