So here the params is a hash, and I would like to concatenate all of the keys and store it to a new field, how can I achieve that? I found that is it possible to use inline ruby code in the configuration file but, I have no idea how to assign the return value of the concat.
grok { match => { "request" => [ "url", "%{URIPATH:url_path}%{URIPARAM:url_params}?" ]} }
urldecode{ field => "url_path" }
mutate { gsub => ["url_params","\?","" ] }
kv {
field_split => "&"
source => "url_params"
target => "params"
}
urldecode{ field => "params" }
ruby {
code => 'pattern= params.keys.join(",")'
#Pattern should be the new field that contains the key, separated by comma
}
Expected result should be:
pattern = "param1,param2,param3 ... and so on"
Solution is:
event.set('field_name', field_value)