lightmustard
Reputation: 11
flatten json with logstash ruby
I have a json log that expands to this:
JSON:
|-host : hostname
|-httpRequest
|-httpVersion : HTTP/1.1
|-headers
|-0
|-name: X-Forwarded-For
|-value: 1.1.1.1
|-1
|-name: X-Forwarded-Prot
|-value: https
|-2
|-name: X-Forwarded-Port
|-value: 443
|-httpMethod: post
|-action: allow
etc..
I would like to reformat it like this:
JSON:
|-host : hostname
|-httpRequest
|-httpVersion : HTTP/1.1
|-headers
|-X-Forwarded-For : 1.1.1.1
|-X-Forwarded-Prot : https
|-X-Forwarded-Port : 443
|-httpMethod: post
|-action: allow
Split will just take the last [#] name/value as it overwrites the previous. I am pretty sure this will need a ruby code block, but I haven't had luck following along with ruby code I have found online for similar scenarios.
I think the main issue here/difference with other article/answers is that it's not just a pure flatten. But need to rearrange the name:value a bit as well.
Upvotes: 0
Views: 220
Answers (1)
lightmustard
Reputation: 11
This seems to do the trick as well:
Newfield
ruby {
code => '
event.get("[@metadata][json][httpRequest][headers]").each do |header|
event.set("[newfield][#{header["name"]}]", header["value"])
end
'
}
Same field
ruby {
code => '
headerHash = {}
event.get("[@metadata][json][httpRequest][headers]").each do |header|
headerHash[header["name"]] = header["value"]
end
event.set("[@metadata][json][httpRequest][headers]", headerHash)
'
}
Upvotes: 1
Related Questions
- Pretty-print JSON document in Logstash 5
- Logstash: How to extract an object without knowing keyname
- Is there any way to flatten json data in logstash
- Convert array of hash by logstash to simple hash
- Logstash: Flatten nested JSON, combine fields inside array
- Convert a json nested string array to a flat string logstash
- converting a nested field to a list json in logstash
- Loop through nested json in logstash with ruby
- Logstash Combine multiple json array into one
- Decompose Logstash json message into fields