Logstash - Convert Field Names to Lowercase

Question

I am processing http logs and converting querystring parameters to fields.

kv
{
  source => "uriQuerystring"
  field_split => "&"
  target => "uriQuerystringKeys"
}

However because callers are using mixed case parameters, I end up with numerous duplicates.

eg: uriQuerystringKeys.apiKey, uriQuerystringKeys.ApiKey, uriQuerystringKeys.APIKey

What do I need to do in my logstash configuration to convert all these field names to lowercase?

I see there's an open issue for this feature to be implemented in Logstash, but it's incomplete. There's a suggestion for some ruby code to be directly executed, but it looks like this converts all fields (not just ones of a certain prefix).

score 0 · Answer 1 · edited May 23 '17 at 12:31

0

Here's a prior answer that contains the basic code you would need.

You can see a conditional inside the loop, which you could use to enforce the prefix limitations on the fields.

edited May 23 '17 at 12:31

Community

1
1

answered Mar 01 '16 at 04:53

Alain Collins

16,268
2
32
55

Logstash - Convert Field Names to Lowercase

1 Answers1