Field Name

Data Type

Multiplicity

Hierarchy

Event_type

Primitive - String

Single-valued

Flat

Timestamp

Primitive- Date

Single-valued,

Flat

The field type is Simple because the field is on the topmost level of the JSON log, i.e. it is not nested under other fields

All date fields are strings that follow a particular date format. For this example this date field follows ISO 8601 format.

2025-01-11 → Date in YYYY-MM-DD format

T → Separator between date and time

12:00:00 → Time in HH:MM:SS (24-hour format)

Z → Zulu time (UTC, Coordinated Universal Time)

System{}

Composite (Object or dictionary)

Single-Valued

Nested

Composite field because its value has 2 other fields (dictionaries)

These fields have a hierarchy, making the JSON a tree structure.

Notice the curly brackets next to the field name, this is an indicator that this field is composite.

In order to access the composing nodes, we use the json dot notation, i.e. "System.hostname" and "System.ip_address" are how we access the subfields nodes of "System".

user{}

Composite (Object or dictionary)

Single-valued

Nested

Composite because, like "system", "User" is composed of different fields underneath.

Nested fields values are fields that contain other json fields ({id:..., username:...,...}) in a hierarchy.

In Python this is analogous to a key whose value is a dictionary.

user.VIP

Primitive-Boolean

Single-valued

Simple

Boolean fields are either true or false strictly lowercase without any quotes.

Boolean fields are not strings as they have no enclosing double quotes "". 

This field "user.VIP" is a subfield field of "user" field.

This field is a subfield node of User parent field but it has no subfields nodes, so it is a simple in terms of hierarchy even though it is accessed through its parent node "users"

As you could notice, accessing the nested a hierarchy through JSON is done using dot notation indicating parent-subfield node relationship, for example here it is "users.vip" indicating the path to access "vip" through its parent node "users".

User.id

Primitive-Integer

Single-valued

Flat

Integer fields are digits without double quotes.

Integer fields (e.g. 12345) are handled differently from string fields surrounded by double quotes i.e. "12345" =! 12345, the left is a string of integer while the right is an integer.

The field "user.id" is flat because it has no subfields nodes, even though it has parent node "user"

Tags[*]

Primitive-Integer-Repeated

Mutli-valued (Repeated, List)

Flat

Flat because it has no untested JSON fields, notice that "Tags" value is a list, not a dictionary (unlike "system")

Each element in the list structure a "String", so its data type is string but repeated, so we can consider this field a Repeated-Atomic field.

Notice the brackets "[ ]" on the left of the field name, this is an indicator that this field is not composite but a repeated one.

Repeated fields are accessed slightly different than composite fields, for example the second tag is accessed as "tags[1]" not "tags.1"

User.Sessions{}[*]

Dictionary (Composite)-Repeated

Mutli-valued (Repeated, List)

Nested

This is the most complex field type, it has all the sub-types discussed ;

Repeated as it is composed of 2 Session Objects (0 and 1 both branching from the bracket next to "Sessions" field name).

Each element in the list is a dictionary(object), so its Data type is dictionary-repeated or Repeated-Composite.

The field is nested because each element in the list has nested fields like "user.sessions[0].actions[1]"

user.sessions{}[*].actions{}[*].action_type

String

Single Valued (Mandatory)

Flat 

Mandatory Fields Appear in ALL of their parents' instances. I.e. Every "actions" object has an "action_type"

user.sessions{}[*].actions{}[*].query

String

Single Valued (Optional)

Flat 

Optional Fields Appear in SOME of their parents' instances. I.e. Not every "actions" object has a "query", but only the "search" actions will have it .

Select The Whole JSON 

$

1. Operator $ Selects the root node of the JSON file in JsonPath, it represents the root node of a JSON object.
2. It returns a list that has 1 element which is the json log message.
3. In GoStash; Input log messages fall under a default root field name called "message", so we could say that; "message" field name is the equivalent to the JSON Path $.

Select a Simple field

$.event_type

The first operator $ selects the root json log, while the dot operator "." moves the selection one level down to the subfields nodes, and "event_type" picks the subfield node "event_type, So in effect this selects the value of the event_type field which is “user_activity”

In Gostash, to reference the same field :

1. Assignment Operator : Use "%{event_type}".|
   

   filter {
   json { source => "message"   array_function => "split_columns"}
   mutate { replace => { "myVariable" => "%{event_type}" }}
   }

2. IF conditional : use [event_type]
   

   filter {
   json { source => "message"   array_function => "split_columns"}
   if [event_type]=="abc"{
   }
   }

   
   
3. Loop : Not supported for simple fields.

Select a subfield field

Same like above ; $ selects the root json log, "." moves one level down to the subfields nodes, "event_type" picks the subfield node "event_type", but we move 1 step further and reference the 2nd level field "id"

In Gostash, to reference the same field :

1. Assignment Operator :
   1. 1. For non-string fields : 
      Not Supported. For example user.id is an integer not a string, so
      

      filter {
      json { source => "message"   array_function => "split_columns"}
      mutate { replace => { "myVariable" => "%{user.id}" }}
      }

      
      Will give an error, as "user.id" is an integer field not a string field -as we highlighted earlier.

   2.  For string fields: 
      Supported ; e.g. for "user.username" field is a string field, referenced by %{user.username}
      

      filter {
      json { source => "message"   array_function => "split_columns"}
      mutate { replace => { "myVariable" => "%{user.username}" }}
      }

       

2. IF conditional : Use [user][id] or [user][username]
   

   filter {
   json { source => "message"   array_function => "split_columns"}
   if [user][id] == 13 {
   }
   }

   
   IF Conditionals in logstash use bracket notation instead of dot notation to reference nested fields.
   IF conditionals support both string and non-string data types.
   
3. Loop : Not supported for simple fields.

Select a Repeated field

$.Tags[*]

The syntax is similar to the above cases, but requires appending "[*]" to indicate querying ALL the repeated field values.

If we need to access the 2nd tags, The JSON Path is $.Tags[1] 

In Gostash, to reference the 2nd Tag field :

1. Assignment Operator :
   1. With "array_function":
      1. Accessing all values of a repeated field: Not supported.
         In GoStash, you cannot use wildcard syntax (like %{Tags.*}) to access all items in a repeated field. You must reference specific elements by their index, such as the first or second tag.
         

         json { source => "message"   array_function => "split_columns"}
         mutate { replace => { "myVariable" => "%{Tags.*}" }}
         statedump {}
         }

         1. Accessing a specific value of a repeated field: Supported

      2. "%{Tags.1}" is supported
         

         filter {
         json { source => "message"   array_function => "split_columns"}
         mutate { replace => { "myVariable" => "%{Tags.1}" }}
         statedump {}
         }

   2. Without "array_function":
      Not supported. Repeated fields won’t be accessible, i.e. %{Tags.1} is not possible if the JSON is parsed without the "array_function";
      

      filter {
      json { source => "message"}
      mutate { replace => { "myVariable" => "%{Tags.1}" }}
      statedump {}
      }

      
      

      "array_function" should be always used to allow accessing repeated fields.

2. IF conditional : supported with "array_function" but uses the bracket notation
   

   filter {
   json { source => "message" array_function=>"split_columns"}
   if [Tags][1] == "dev" {
   statedump {}}
   }

   
   Without array_function: Not supported and will give an error ;
   

   filter {
   json { source => "message" }
   if [Tags][1] == "dev" {
   statedump {}}
   }

3. Loop :
   1. With array_function: Supported ;
      

      filter {
      json { source => "message" array_function => "split_columns"}
      for index, _tag in Tags {
      statedump {}}
      }

      
      The loop will execute two times, corresponding to the two values in the 'Tags' field. Pay attention to the use of 'Tags' without the '%{}' syntax. We'll cover the reason for this in a later section.
      
      GoStash's syntax might allow you to write loops referencing specific indexes of repeated fields (e.g., Tags.0), but this will result in a logical error, and the loop's content will be skipped.
      

      filter {
      json { source => "message" array_function => "split_columns"}
      for index, _tag in Tags.0 {
      statedump {}}
      }

      1. Without array_function: loop won't produce a syntax error, but it will fail to execute. This is a logical error, meaning the loop is structurally incorrect.
         

         filter {
         json { source => "message" }#array_function => "split_columns"}
         for index, _tag in Tags {
         statedump {}}
         }

Select a Composite Field

OR

 This example is a particular distinction between JSON Path and Gostash. You can select the composite field in JSONPath same way as selecting the simple fields using $.system , but it will generate a list of objects ;

[
  {
    "hostname": "server-001",
    "ip_address": "192.168.1.100"
  }
]

Appending [*] to the end as in $.system[*] will flatten json object inside the list to be ;

[
  "server-001",
  "192.168.1.100"
]

In Gostash, there is no direct equivalent to $.system[*]. Referencing a sub-field in a composite field is done the same way as the subfield fields but explicitly, i.e. %{user.username} but there is there is no syntax for something like %{user.*} . 

Looping is supported for composite fields, you can loop for each sub-field ;

1. Assignment Operator : Supported for explicit sub-field (as indicated earlier).
   

   filter {
   json { source => "message"}
   mutate { replace => { "myVariable" => "%{system.hostname}" }}
   statedump {}
   }

2. IF conditional :  Supported using Bracket Notation (as indicated earlier).
   

   filter {
   json { source => "message"}
   if [system][hostname] == "server-001" {
   statedump {}
   }
   }

3. Loop : Looping through a composite field is supported using the "map" keyword.
   

   filter {
   json { source => "message"}
   for index, systemDetail in system map {
   statedump {}}
   }

   
   This is a distinction from looping through repeated fields which does not require the "map" keyword. This will be discussed later in more details.
   

Print Tokens Captured

filter {
statedump {}
}

Snippet from statedump output:

{
  "@createTimestamp": {
    "nanos": 0,
    "seconds": 1736558676
  },
  "@enableCbnForLoop": true,
  "@onErrorCount": 0,
  "@output": [],
  "@timezone": "",
  "message": "{\n  \"timestamp\": \"2025-01-11T12:00:00Z\",  \n  \".....

1. The statedump operation is a powerful debugging tool within the GoStash parser. It allows you to examine the internal state of the parser by printing all captured tokens at the point of its execution. This output is displayed on the right side of the parser UI, under the 'Internal State' section. 
2. You'll notice that some tokens are pre-created by the parser, such as @output and @enableCbnForLoop. These are internal tokens used by GoStash for various purposes. 
3. It's important to observe that your input log messages, which are initially contained within the message field, are treated as raw strings at this stage. This is indicated by the escape character \ preceding the double quotes within the message field. This raw string format signifies that the JSON data within the message field has not yet been parsed into a structured JSON object.
   

Parse the JSON Schema and Flatten Repeated Fields

filter {
json { source => "message" array_function => "split_columns"}
statedump {}
}

Snippet from statedump output:

{
  "@createTimestamp": {
    "nanos": 0,
    "seconds": 1736558735
  },
  "@enableCbnForLoop": true,
  "@onErrorCount": 0,
  "@output": [],
  "@timezone": "",
  "event_type": "user_activity",
  "message": "{\n
…..
 "system": {
    "hostname": "server-001",
    "ip_address": "192.168.1.100"
  },
  "timestamp": "2025-01-11T12:00:00Z",
  "user": {.....

1. This code converts the unparsed JSON string in "message" field into a JSON schema.
2. In the SecOps environment, incoming log messages are initially placed within a 'message' field. This means that from the perspective of the SIEM, your log data is structured as follows:
   JSON
   

   { "message": {...your log data... } }

3. This 'message' field acts as a container for your actual log data. To effectively parse and utilize the information within your logs, you need to convert this raw string representation into a structured JSON object. This is where the json filter comes in. It parses the content of the message field and transforms it into a usable JSON format, allowing you to access individual fields and values within your logs
4. The initial stage of our log parsing process involves setting up the input and output structures and performing some basic transformations.
   • Input: We define the entry point for our input logs using the pseudocode Input: $.message{} = {... }. This indicates that the incoming log messages are nested under the message field, as is the convention in SecOps SIEM.
   • Output: We declare the target schema, which will eventually be converted to the UDM format, using Output: $. This signifies that the root level ($) of our output structure will be where we construct the UDM schema.
   • Moving Fields: We then move all the first-level fields from the input log schema (under message) to the root level of the output schema. This is represented by the pseudocode $ ← $.message{}.
   • Flattening: Finally, we apply a flattening operation to all repeated fields within the data. This is denoted by $ ← flatten($.*). Flattening converts repeated fields (arrays) into a composite format, making them easier to access and manipulate.
5. To understand how json works, compare the JSON tree before and after. You'll see that fields like 'event_type' are no longer under 'message'; they're now at the same level as 'message
   
   

   While without using the json parse clause,  "event_type" is a subfield of the "message" field.

   
6. The array_function plays a key role in simplifying complex JSON structures by flattening repeated fields. Let's break down how it works:
   1. Before Flattening: Imagine a user object with a sessions field that contains a list of session objects, like this:
      JSON
      

      "user": {
        "sessions": [
          { "session_id": "abc-123",... },
          { "session_id": "def-456",... }
        ]
      }

      
      
   2. After Flattening: The array_function transforms this structure by converting the sessions list into an object with numbered keys:
      JSON
      

      "user": {
        "sessions": {
          "0": { "session_id": "abc-123",... },
          "1": { "session_id": "def-456",... }
        }
      }

      This makes it much easier to access individual session objects. For example, you can now directly reference the first session as $.user.sessions.0.

      Before:

       
      
      

      After:

      
      

      The effect of flattening on the repeated Tags field:

      
      

1. Before Flattening: The Tags field is a list of values, represented as $.Tags[*]:
   JSON
   

   "Tags": ["login_logs", "dev"]

2. After Flattening: The array_function converts this list into an object with numbered keys, represented as $.Tags{}:
   JSON
   

   "Tags": {
     "0": "login_logs",
     "1": "dev"
   }

   Now you can easily access specific tags. For example, $.Tags.0 refers to "login_logs", and $.Tags.1 refers to "dev"."

   Before​

   
   

   After

   
   
    

   This conversion allows using dot notation to access repeated fields the same way as the subfields of parent nodes of composite fields.

Assign a String Constant

Task: Assign a string “Log Sample” to a new token(variable) “constantToken”

filter {
mutate { replace => { "constantToken" => "Log Sample" }}
statedump {}
}

Snippet from statedump output:

….
 "constantToken": "Log Sample",
….

1.  You can use the replace operation to assign constant values to tokens. In this case, $.constantToken ← "Log Sample" creates a new token called 'constantToken' and assigns it the string value 'Log Sample
   
   

Capture a Simple String Token

Task: Capture the value of $.user_activity into a new token “myEventClass”

filter {
json { source => "message" array_function => "split_columns"}
mutate { replace => { "myEventClass" => "%{event_type}" }}
statedump {}
}

Snippet from statedump output:

…
 "eventClass": "user_activity",
….

1. The equivalent variable assignment is similar to this ;
   

   $← flatten($.message{})
   $.myEventClass ← $.event_type 

   It's important to be aware of which schema you're referencing. If you're still working with the original input structure, then the equivalent of the second line would be $.myEventClass ← $.message{}.event_type, because the event_type field would still be nested under message

2. The replace operation can also be used to copy values from existing fields into new tokens. In this example, $.myEventClass ← $.event_type performs the following:Creates a token: If a token named 'myEventClass' doesn't exist, it's created. 
   1. Creates a token: If a token named 'myEventClass' doesn't exist, it's created.
   2. Copies the value: The value from the 'event_type' field is copied into the 'myEventClass' token.
      This effectively creates a copy of the 'event_type' field's value under a new name ('myEventClass')."
      
3. Token names are case sensitive, "event_type" is not the same as "Event_type".

Capture a subfield String Token

Task : Capture the value of $.user{}.username into a new token “myUser”

filter {
json { source => "message" array_function => "split_columns"}
mutate { replace => { "myUser" => "%{user.username}" }}
statedump {}
}

Snippet from statedump output:

…
 "myUser": "johndoe"
….

1. The equivalent variable assignment is similar to this ;
   

   $ ← flatten($.message{})
   $.myUser ← $.user{}.username 

   This assigns the value from the nested 'username' field (within 'user') to a new token called 'myUser'

   

Capture a Repeated String Field with Specific Order

Task: Capture the value of the first session ID $.user{}.sessions{}[0].session_id and the second tag $.Tags[0]

filter {
json { source => "message" array_function => "split_columns"}
mutate { replace => { "firstSession" => "%{user.sessions.0.session_id}" }}
mutate { replace => { "secondTag" => "%{Tags.1}" }}
statedump {}
}

…
 "firstSession": "abc-123",
….

1. Equivalent to ;
   

   $.← flatten($.message{})
   $.firstSession ← $.user{}.sessions{}.0.session_id
   $.secondTag ← $.Tags{}[].1

   The array_function in GoStash introduces a key difference in how you work with repeated fields compared to JSONPath.

   • JSONPath: In JSONPath, you would use $.Tags[*] to access all elements of the Tags array.
   • GoStash: In GoStash, because array_function flattens the array, you can access individual elements using dot notation, like %{Tags.1} for the second element.
2. Without array_function the variable assignment will fail, 
   i.e. %{Tags.1} is not supported without the "array_function" clause.

Task: Capture the first action type under the first action in the first session $.user{}.sessions{}[0].actions{}[0].action_type into “firstActionType”

### filter {
json { source => "message" array_function => "split_columns"}
mutate { replace => { "firstActionType" => "%{user.sessions.0.actions.0.action_type}" }}
statedump {}
}

…
 "event_type": "user_activity",
….​

$← flatten($.message{})
$.firstActionType ← $.user.sessions.0.actions.1.action_type

Initialize an empty field

Task: Declare and Clear an empty token “emptyPlaceholder”

### Capture the first session ID 
filter {
json { source => "message" array_function => "split_columns"}
mutate { replace => { "emptyPlaceholder" => "" }}
statedump {}
}

…
 "emptyPlaceholder": "",
….

1.  Equivalent to ;
   

   $.← flatten($.message{})
   Declare Variable: string temp = ""​

2. In previous examples, we directly assigned values to tokens without explicitly initializing them. However, there are specific scenarios where initialization becomes crucial:
   • Looping: When using loops to iterate over data, you often need to initialize a token to store values or accumulate results within the loop.
   • Looped Concatenation: If you're combining values within a loop, you need an initialized token to store the concatenated result.
   • Repeated Lists: When working with repeated lists (arrays), initializing a token can help you manage and manipulate the elements effectively.
   • Deduplication: Removing duplicate entries from a list often requires an initialized token to track unique values.

In these cases, initializing the token ensures that it exists and is ready to be used in the intended operation. We'll explore these scenarios in more detail in the following sections.

Capture a field -if exists- with Exception Handling

filter {
json { source => "message"   array_function => "split_columns"}
mutate { replace => { "my3rdTag" => "%{Tags.2}"} on_error => "3rdTag_isAbsent"}
statedump {}
}

…
 "3rdTag_isAbsent": true,
…

1.  Equivalent to ;
   

   $← flatten($.message{})
   $.my3rdTag  ← $.Tags{}[].3, ifError raiseFlag: $.3rdTag_isMissing ← true

2. This scenario demonstrates GoStash's robust error handling when dealing with repeated fields.
   • Accessing Non-Existent Elements: When you attempt to access an element that doesn't exist within a flattened repeated field (e.g., trying to access the 3rd tag when there are only two), GoStash doesn't halt the parsing process.
   • Raising a Flag: Instead, it raises a flag to indicate that the element was not found. In this case, the flag is named '3rdTag_isAbsent'. This allows you to identify potential issues in your data or parsing logic.
   • Continuing Execution: Importantly, GoStash continues to execute the remaining lines of your parsing configuration. This ensures that even if there are minor inconsistencies in your data, the parsing process can still proceed and extract valuable information from other parts of the logs.
3. The on_error clause is a powerful feature in GoStash that provides several benefits:
   
   • Exception Handling: It allows you to gracefully handle exceptions or errors that might occur during parsing, such as trying to access a non-existent field.
   • Field Existence Detection: You can use on_error to check whether a recurring or optional field is present in the data.
   • Debugging Probe: It can act as a debugging tool, allowing you to raise flags or perform actions when specific conditions are met or not met.
     

     In this example, without on_error, trying to access the non-existent 3rd tag would result in a compilation error, halting the parser execution. However, with on_error, GoStash raises a flag named '3rdTag_isAbsent' and sets it to 'True', allowing the parser to continue executing. This demonstrates how on_error can prevent complete parser failure and provide more robust error handling."

     I.e. Using "mutate { replace => { "my3rdTag" => "%{Tags.2}"}}" statement without "on_error" will generate a compiling error, and will stop the parser execution as there is no 3rd tag field in this example.

4. By combining on_error with conditionals, you can create 'smart' parsing rules that adapt to different log formats. For instance, you can check if a field like 'query' is present and then trigger specific actions based on its existence.

Capture a subfield Non-String Field

Task: Capture $.user{}.id integer field

filter {
json { source => "message" array_function => "split_columns"}
mutate {convert => {"user.id" => "string"} on_error => 
"userId_conversionError"}
mutate { replace => { "myUserId" => "%{user.id}" }}
mutate {convert => {"myUserId" => "integer"}}
statedump {}
}

…
 "myUserId": 12345,
 "userId_conversionError": false
….

1.  Equivalent to ;
   

   $← flatten($.message{})
   $.user{}.id  ← string($.user{}.id), IfError: 
   raiseFlag $.userId_conversionError ← True
   $.myUserId ← $.user{}.id 
   $.myUserId  ← integer($.myUserId)​

2. The replace operator in GoStash is primarily designed for working with string fields (textual data). If you need to capture a field that is not a string (e.g., a number, boolean, or date), you'll need to follow a specific process:
   1. Convert to String: Use the appropriate conversion function to convert the non-string field into a string representation.
   2. Assign with replace: Use the replace operator to assign the converted string value to a token.
   3. Convert Back to Original Type: Use another conversion function to convert the token back to its original data type.
3. While both convert and replace work with fields, there's a slight difference in how you reference those fields:
   • convert: This operator expects field names to be provided directly, without any enclosing symbols. For example, you would use field_name or nested_field.sub_field.
   • replace: This operator requires field names to be enclosed in %{}. For example, you would use %{field_name} or %{nested_field.sub_field}.
     

     Keep this distinction in mind to avoid syntax errors when using these operators

Sample Token Types:

Assume an input message processed by the parser below ;

{ "booleanField": true,
  "booleanField2": 1,
  "floatField": 14.01,
  "integerField": -3,
  "uintegerField": 5,
  "stringField": "any single-line string is here"}

filter {
json { source => "message"}
statedump {}
}​

{ 
 "booleanField": true,
  "booleanField2": 1,
  "floatField": 14.01,
  "integerField": -3,
 "stringField": "any single-line string is here",
  "uintegerField": 5
}​

1. In the example, GoStash automatically recognized and handled the various data types: boolean fields were parsed as booleans, integer fields as integers, and so on.
2. The supported target data types for the convert statement are provided in https://cloud.google.com/chronicle/docs/reference/parser-syntax#convert_functions :
   

   boolean
   float
   hash
   integer
   ipaddress
   macaddress
   string
   uinteger
   hextodec
   hextoascii

Constructing Nested String Elements

Task: Capture $.event_type and $.date into a Hierarchical token “grandparent.parent.eventType” and “othergrandparent.otherparent.date”

filter {
json { source => "message"   array_function => "split_columns"}
mutate { replace => { "grandparent.parent.eventType" => "%{event_type}" }}




mutate { replace => { "myTimestamp" => "%{timestamp}" }}
mutate { rename => { "myTimestamp" => "othergrandparent.otherparent.date" }}


statedump {}
}

Snippet from statedump output:

… :
 "grandparent": {
    "parent": {
      "eventType": "user_activity"
    },
 "othergrandparent": {
    "otherparent": {
      "date": "2025-01-11T12:00:00Z"
    }
  },
…

1. Equivalent to ;
   

   $← flatten($.message{})
   $.grandparent{}.parent{}.eventType ← $.eventType
   
   $.myTimestamp ← $.timestamp
   Rename $.myTimestamp ⇒ $.othergrandparent.otherparent.date

   
2. When capturing string fields using the replace operator, you have the ability to add any number of hierarchical parent levels to the captured token. This allows you to organize your data into a nested structure.
   1. Creating Nested Structures: The first line $.grandparent{}.parent{}.eventType ← $.eventType demonstrates how to create nested fields using the replace operator. It creates a hierarchy of fields named 'grandparent' and 'parent' and places the 'eventType' field inside this nested structure.
   2. Renaming and Moving Fields: The next two lines show how to rename and move a field using the rename operator.
      1. $.myTimestamp ← $.timestamp first creates a copy of the 'timestamp' field named 'myTimestamp'.
      2. Rename $.myTimestamp ⇒ $.othergrandparent.otherparent.date then renames 'myTimestamp' to 'date' and moves it under a new nested structure with 'othergrandparent' and 'otherparent' levels.
3. However, the rename operator offers a more flexible way to achieve the same result. With rename, you can move existing fields and tokens within the JSON hierarchy, giving you more control over the final structure. We'll explore the capabilities of rename in a later section.

Loop through Composite Fields

Task: Loop through the subfields of the composite field $.system{}. 

filter {
json { source => "message" array_function => "split_columns"}
for index_, field_ in system map {
statedump {}
}
}

Snippet from statedump output:

First Loop Iteration:

{….
 "field_": "server-001",
  "index_": "hostname",
  "iter": {
    "system-3": 0
  },
  "iter-3-33": {
    "keys": [
      "hostname",
      "ip_address"
    ]
…}

Second Loop Iteration

{...
 "field_": "192.168.1.100",
  "index_": "ip_address",
  "iter": {
    "system-3": 1
  },
  "iter-3-33": {
    "keys": [
      "hostname",
      "ip_address"
    ]
  },
…}

1.  Equivalent to ;
   

   $ ← flatten($.message{})
   
   For index_, field_ in $.system{} : 
   Print All Fields

   # Output:

   # index_ = hostname in first run, ip_address in second run. 

   # field_ = server-001 in first run, then 192.168.1.100 in second run

2. This loop provides a way to iterate over the fields within a composite field, such as 'system' in this case.
   1. index_: This variable acts as a counter or index, holding the name of the current field being processed within the loop. In the first iteration, index_ will be 'hostname', and in the second iteration, it will be 'ip_address'.
   2. field_: This variable stores the actual value of the field corresponding to the current index_. So, in the first run, field_ will hold the value 'server-001', and in the second run, it will hold '192.168.1.100'.
3. The map keyword in GoStash provides a way to iterate over the fields within a composite field. Here's how it works:
   • map keyword: Indicates that you want to loop through the subfields of a composite field.
   • index_ variable: Instead of holding a numerical index (like in repeated fields -to be discussed later-), index_ stores the actual name of each field within the composite field. For example, if your composite field is 'system' with subfields 'hostname' and 'ip_address', index_ will be 'hostname' in the first iteration and 'ip_address' in the second.
   • Values: Within the loop, you can access the value of each field using the field_ variable, as usual.
     The values in the loop will be ;
     

     index_	field_
     "hostname"	"server-001"
     "ip_address"	"192.168.1.100"

4. If "map" was not used as in ;
   
   

   for index_, field_ in system {

   You will get an error.

Loop through Repeated Flattened Fields

Task: Loop through the repeated field $.Tags[].

#Loop through the Tags repeated field ;
filter {
json { source => "message" array_function => "split_columns"}
for index_, field_ in Tags {
statedump {}
}
}

Snippet from statedump output:

First Loop Iteration:

{….
 "field_": "login_logs",
  "index_": 0,
  "iter": {
    "Tags-4": 0
  },
…}

Second Loop Iteration

{...
 "field_": "dev",
  "index_": 1,
  "iter": {
    "Tags-4": 1
  },
…}

1.  Equivalent to ;
   

   $← flatten($.message{})
   For index_, field_ in $.Tags{}[*] :  #  $.message{}.Tags[*] 
   Print All Fields ​

   # index_  = 0 in the first run then 1 in the second run (both are integers)
   # field_  = "login_logs" in the first run then "dev" in the second run.

2. This loop provides a way to iterate over the elements within a repeated field, such as 'Tags' in this case.
   • index_: This variable acts as a counter or index, holding the numerical position of the current element being processed within the loop. In the first iteration, index_ will be 0, and in the second iteration, it will be 1.
   • field_: This variable stores the actual value of the element corresponding to the current index_. So, in the first run, field_ will hold the value 'login_logs', and in the second run, it will hold 'dev'.
3. The ‘Tags’ field is accessed in JSONPath as  $.Tags[*] .
   
4. Looping through flattened repeated fields is slightly different from looping through composite fields:
   • No map keyword: You don't need to use the map keyword when looping through flattened repeated fields. The array_function handles the flattening, making the repeated field accessible like a composite field with numerical indices.
   • index_ as numerical index: The index_ variable will hold integer values (0, 1, 2, etc.) representing the position of each element in the flattened repeated field.
   • Example: If your flattened repeated field is 'Tags' with values 'login_logs' and 'dev', index_ will be 0 in the first iteration (for 'login_logs') and 1 in the second iteration (for 'dev')
     The loop variables values will be ;
     

     index_	field_
     0	"login_logs"
     1	"dev"

5. If "map" was used, i.e.
   

   for index_, field_ in Tags map {

   The loop variables “field_” will be the same, but the "index_" variable will be a string not an integer ;
   

   index_	field_
   "0"	"login_logs"
   "1"	"dev"

6. When using numeric operators like <, <=, >, or >= with repeated fields in GoStash, keep in mind that the map keyword is not applicable in this scenario.
   • map for field names: The map keyword is specifically designed for iterating over the names of fields within a composite field.
   • Numeric operators for numbers: Numeric operators are used for comparing numerical values, such as the indices of elements within a repeated field.
   • Avoid map with numeric comparisons: If you need to perform numeric comparisons within a loop that iterates over a repeated field, do not use the map keyword. Instead, rely on the numerical indices of the elements.

Write Some Simple Fields into a UDM Event

Task: Capture some string fields like  $.user{}.username into Non-Repeated UDM fields

filter {
json {  source => "message"  array_function => "split_columns"}
mutate {replace => {"event1.idm.read_only_udm.metadata.event_type" => 
"GENERIC_EVENT"}}
mutate {replace => {"event1.idm.read_only_udm.metadata.vendor_name" => 
"myVendor"}}
mutate {replace => {"event1.idm.read_only_udm.metadata.product_name" => 
"myProduct"}}

mutate {replace => {"event1.idm.read_only_udm.principal.application" => 
"%{event_type}"}}
mutate {replace => {"event1.idm.read_only_udm.principal.application" => 
"%{event_type}"}}
mutate {replace => {"event1.idm.read_only_udm.principal.administrative_domain" => 
"%{user.profile.location}"}}
mutate {replace => {"event1.idm.read_only_udm.principal.email" => 
"%{user.profile.email}"}}
mutate {replace => {"event1.idm.read_only_udm.principal.platform_version" => 
"V1"}}

mutate {convert => {"user.id" => "string"}}
mutate {replace => {"event1.idm.read_only_udm.principal.user.employee_id" => 
"%{user.id}"}}

mutate {merge => { "@output" => "event1" }}
#statedump {label => "end"}
}

"@output": [
    {
      "idm": {
        "read_only_udm": {
          "metadata": {
            "event_type": "GENERIC_EVENT",
            "product_name": "myProduct",
            "vendor_name": "myVendor"
          },
          "principal": {
            "administrative_domain": "New York",
            "application": "user_activity",
            "email": "john.doe@example.com",
            "platform_version": "V1",
            "user": {
              "employee_id": "12345"
            }
          }
        }
      }
    }
  ],

1. When defining your UDM target schema in GoStash, you have the freedom to choose the name of the top-level field that will contain your event data.
   • Default Value: By default, GoStash uses the field name 'event'.
   • Customization: However, you can customize this to any value that suits your needs. In this example, we're using 'event1' to demonstrate this flexibility.
   • Non-Reserved Keyword: It's important to note that 'event' is not a reserved keyword, meaning you can use it even if you choose a different name for your top-level field.
2. When defining your UDM target schema in GoStash, it's essential to adhere to the UDM field name format to ensure compatibility and consistency.
   • Top-Level Field: The name you choose for your top-level event field (e.g., 'event1') must be followed by '.idm.read_only_udm'. This creates the complete root node for your UDM schema (e.g., 'event1.idm.read_only_udm').
   • UDM Field List: Refer to the official UDM field list documentation https://cloud.google.com/chronicle/docs/reference/udm-field-list#field_name_format_for_parsers  for detailed information on valid field names and their formats.
   • UDM Event Data Model: The overall hierarchy of your UDM schema should follow the structure defined in the UDM event data model documentation [insert hyperlink here]. This ensures that your data is organized according to the UDM standard.
3. When building your UDM schema in GoStash, it's crucial to follow the hierarchical structure defined in the UDM event data model. This ensures that your data is organized correctly and can be interpreted by Chronicle.
   • UDM Event Data Model: The UDM event data model specifies the relationships between different fields and how they should be nested within the overall schema. You can find the details in the documentation at https://cloud.google.com/chronicle/docs/reference/udm-field-list#udm_event_data_model .
     Example: The documentation shows that fields like principal and target should be placed under the event.idm.read_only_udm node.
     
4. To select suitable fields for your UDM target schema, you'll need to navigate the UDM Event data model hierarchy, which is documented here: [link to UDM event data model].
   • Starting Point: Begin with the 'Event' data model, not the 'Entity' data model. These two models have different structures and purposes.
   • Hierarchy: The UDM Event data model defines a hierarchical structure for your fields. Start at the root node (e.g., 'event1' in our example) and follow the defined hierarchy to choose appropriate fields.
   • Field Selection Criteria: When selecting fields, consider the following:
     • Non-repeated fields: Choose fields that are single-valued, not repeated (i.e., not lists or arrays).
     • String field type: Select fields that have a string data type.
   • Field Type and Multiplicity: The documentation provides information about the field type (whether it's a primitive type like string or integer, or a composite object) and the multiplicity (whether it's repeated or single-valued). Use this information to guide your field selection.
     

     Field Name	Type	Label
     about	Noun	repeated
     additional	google.protobuf.Struct
     extensions	Extensions
     intermediary	Noun	repeated
     metadata	Metadata
     network	Network
     observer	Noun
     principal	Noun
     security_result	SecurityResult	repeated
     src	Noun
     target	Noun
     Field Name	Type	Label
     about	Noun	repeated
     additional	google.protobuf.Struct
     extensions	Extensions
     intermediary	Noun	repeated
     metadata	Metadata
     network	Network

     
     
5. In the UDM schema, the event_type field plays a crucial role. It's a mandatory field that categorizes the event and determines the requirements for other fields within the schema.
   • Location: The event_type field is located within the metadata object, creating the path metadata.event_type. You can find detailed information about this field in the documentation:
     • https://cloud.google.com/chronicle/docs/reference/udm-field-list#Metadata
     • https://cloud.google.com/chronicle/docs/reference/udm-field-list#Metadata.EventType
   • Enumerated String: The event_type field is an enumerated string, meaning it can only hold specific predefined values. The allowed values are listed in the documentation.
   • Mandatory and Optional Fields: The value you choose for event_type determines which other fields in the schema are mandatory or optional. This information is crucial for ensuring that your UDM events are valid and contain the necessary information for analysis. You can find the field requirements for each event_type in the UDM usage documentation: https://cloud.google.com/chronicle/docs/unified-data-model/udm-usage#required_and_optional_fields
     
     Here's how the event_type influences mandatory fields:
     
   • Example: HTTP Events: When parsing logs related to HTTP activity, you would set the event_type field to NETWORK_HTTP. This signals to Chronicle that the event is related to web traffic.
   • Mandatory Fields: By setting event_type to NETWORK_HTTP, certain other fields become mandatory to provide a complete picture of the HTTP event. For example, the network.http.method field, which indicates the HTTP method used (GET, POST, PUT, etc.), is now required.
   • Reference: You can find the specific mandatory fields for NETWORK_HTTP events in the UDM documentation: https://cloud.google.com/chronicle/docs/unified-data-model/udm-usage#network_http
     
     This example demonstrates how the event_type acts as a key that unlocks specific requirements for other fields within the UDM schema. By understanding these requirements, you can ensure that your GoStash configurations produce valid and informative UDM events.
     
6. Using 'GENERIC_EVENT' as your event_type is a good way to learn the basics of UDM without getting bogged down in complex field requirements. You can add more specific fields later as you become more familiar with the schema.
7. To assign the value 'GENERIC_EVENT' to the event_type field in your UDM schema, you'll need to follow the hierarchical structure defined by UDM and utilize the concept of "Constructing Nested String Elements."
   • Hierarchy: The event_type field is nested within the metadata object. This means you need to create the metadata object first before you can assign a value to event_type.
   • Constructing Nested String Elements: This refers to the process of building the nested structure by creating the parent objects first. In this case, you would first create the metadata object and then assign the value 'GENERIC_EVENT' to the metadata.event_type field
     
     Root ($.event1.idm.read_only_udm) ⇒ (metadata : Composite object of type “Metadata” ) ⇒ (event_type : Enumerated String)
     

     mutate {replace => 
     {"event1.idm.read_only_udm.metadata.event_type" => 
     "GENERIC_EVENT"}}

8. The step-by-step approach to mapping simple string non-repeated fields to your UDM schema in GoStash:
   1. Identify a Suitable Parent: Start by identifying a relevant parent field from the UDM field list (e.g., 'about', 'additional', 'target').
   2. Check the Object Type: Refer to the 'Type' column in the UDM documentation to understand the structure and composition of the parent field.
   3. Select a Non-Repeated Field: Choose a suitable field within the parent that is not repeated (i.e., not a list or array).
   4. Continue Drilling Down: Repeat steps 2 and 3 until you reach a field that is either an enumerated string field or a single-valued field.
   5. Use replace to Build the Hierarchy: Use the replace operator to construct the full path from the root of your UDM schema ('event1.idm.read_only_udm') to the selected UDM field. This involves creating any necessary intermediate parent levels along the way.
      
      This approach ensures that your data is mapped correctly to the UDM schema, following its hierarchical structure and field type requirements.
      
      The final steps in your GoStash configuration involve writing the transformed data to the output and preparing the parser for production use:
      
      • Writing to Output: The statement @output ← $.event1 instructs GoStash to take the data that has been structured under the event1 field and write it to the output destination. This makes the transformed data available for consumption by Chronicle or other systems.
        • Disabling statedump: The statedump operation, which is used for debugging and inspecting the internal state of the parser, should be commented out or removed before deploying the parser to production. This is because statedump can introduce performance overhead and is not necessary for normal operation.
          

          mutate {merge => { "@output" => "event1" }}
          statedump {label => "end"}