I managed to solve the problem. I tried the split/aggregate solution the whole day, but it did not end up working as expected.
But, the first option you presented was a success. A ruby filter, inspired by the post you linked and
this post helped to get the final solution.
ruby {
init => "require 'nokogiri'"
code => "
oldHistory ||= event.get('history')
newHistory ||= []
field1CReplacement = {}
oldHistory.each { |x|
if x.include? 'field1C'
value = x['event_history_xmlclassification']
doc = Nokogiri::XML::Document.parse(value, nil, value.encoding.to_s)
doc.remove_namespaces!
attr1 = doc.xpath('/xmlRootTag/@attr1').text
field1CReplacement['attr1'] ||= attr1
attr2 = doc.xpath('/xmlRootTag/@attr2').text
field1CReplacement['attr2'] ||= attr2
x['field1CReplacement'] = field1CReplacement
end
newHistory << x
}
event.set('history', newHistory)
"
}
Thanks you for your guidance!