Hi, I have a following JSON input and a little problem with pipeline rule, any help is much appreciated!
I want to use JSON extractor on it, but for an extractor to work as I would like I need to use pipeline rule on it to create new fields out of the params list key and value pairs.
NOTE: params list has various amount of key-value pairs, also the keys might not always be the same. For example first entry has keys: w, project_id; second entry has keys: w, service, project_id.
{
"method": "GET",
"format": "html",
"action": "show",
"status": 0,
"duration": 11.25,
"view": 0.0,
"params": [
{
"key": "w",
"value": "1"
},
{
"key": "project_id",
"value": "pydoc"
}
]
}
How I want the JSON to be after going through pipeline.
{
"method": "GET",
"format": "html",
"action": "show",
"status": 0,
"duration": 11.25,
"view": 0.0,
"w": "1",
"project_id": "pydoc"
}
My first question is: is it possible to check in ‘when’ clause that params list has first key then in second rule that it has second key and so on? (max key count is 5 so I would create 5 rules)
Second question: since the keys might differ, I would like to use jsonpath key in jsonpath map like seen in below example, this example of course gives me syntax error, but is there any way to read the key from jsonpath and set it as new_field’s key?
rule "split_first_param"
when
has_field("my_log") # AND is_not_null($params.[0].key)
then
let message = parse_json(to_string($message.message));
let new_field = select_jsonpath(message,
{ "$['params'][0]['key']": "$['params'][0]['value']"});
set_fields(new_field);
End