如何轻松地将JSON成员提升为主事件级别? [英] How to easily promote a JSON member to the main event level?
问题描述
我正在使用http_poller来访问API端点以获取一些我想用Elasticsearch编制索引的信息.结果以JSON格式显示,并且是记录列表,如下所示:
I'm using an http_poller to hit an API endpoint for some info I want to index with elasticsearch. The result is in JSON and is a list of records, looking like this:
{
"result": [
{...},
{...},
...
]
}
我真正想将数组中的每个结果对象转换为一个在ElasticSearch中建立索引的事件,因此我尝试使用split过滤器将对象转换为一系列事件.它运行得相当不错,但是现在我有一系列看起来像这样的事件:
Each result object in the array is what I really want to turn into an event that gets indexed in ElasticSearch, so I tried using the split filter to turn the object into a series of events instead. It worked reasonably well, but now I have a series of events that look like this:
{
result: { ... }
}
我当前的过滤器如下:
filter {
if [type] == "history" {
split {
field => "result"
}
}
}
每个结果对象都有大约20个字段,我大部分都需要,所以我知道我可以按照
Each of those result objects has about 20 fields, most of which I want, so while I know I can transform them by doing something along the lines of
filter {
if [type] == "history" {
split {
field => "result"
}
mutate {
add_field => { "field1" => "%{[result][field1]}"
#... x15-20 more fields
remove_field => "result"
}
}
}
但是有这么多字段,我希望有一种方法可以将结果"值的所有字段复制到事件中.
But with so many fields I was hoping there's a one-liner to just copy all the fields of the 'result' value up to be the event.
推荐答案
这可以通过ruby过滤器来完成,如下所示:
This can be done with a ruby filter like this:
ruby {
code => '
if (event.get("result"))
event.get("result").each { |k,v|
event.set(k,v);
}
event.remove("result");
end
'
}
我不知道用任何内置/公开可用的过滤器来做到这一点.
I don't know of any way to do this with any of the built in/publicly available filters.
这篇关于如何轻松地将JSON成员提升为主事件级别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
