This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Concatinating field from nested json by extending the parser

Posted on 09-06-2024 06:23 AM
swanand
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi All,  Need to implement this urgently - tried all options including ruby / split etc but none of that works within google chronicle parser extension. 

I have a simple requirement to concatenate field value from recurring field as per below. Please suggest how this can be implemented in parser extension.  Input and expected output is as per below.. Thanks in advance.

Input:

{
"folders": [
{"resourceFolderDisplayName": "L1"},
{"resourceFolderDisplayName": "L2"},
{"resourceFolderDisplayName": "L3"}
]
}

Expected Output:

UDM.METADATA.RESOURCEPATH = L1/L2/L3

Solved Solved
0 4 304
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
AbdElHafez
Staff
Reply posted on --/--/---- --:-- AM

This is a valid version, I could not find a resourcepath under metadata so I put in metadata.description

AbdElHafez_0-1725918034802.png

 

filter {

    
json {
  source => "message"
  array_function => "split_columns"
}
statedump {
    "label" => "1"}

        mutate {replace => {"temp"=>""}} #Init the concat token

for index1,item1 in folders {
        mutate {convert => {"index1"=>"string"}}
        mutate {replace => {"label1"=>""}} #Init the collector token

        mutate {replace => {"obj.val"=>"%{item1.resourceFolderDisplayName}"}}
        
        mutate {replace => {"label1"=>"%{obj.val}"}}

        mutate {merge => {"labels"=>"label1"}} #Init the collector token
        
        
        # Concat
        if [index1]=='0' {mutate {replace => {"temp"=>"%{label1}"}}} 
        else {mutate {replace => {"temp"=>"%{temp}|%{label1}"}}} 

        statedump {
            "label" => "2"}
}


    mutate {
    replace => {
    "event.idm.read_only_udm.metadata.product_name" => "Upstream"
    "event.idm.read_only_udm.metadata.vendor_name" => "Upstream"
    "event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
    "event.idm.read_only_udm.metadata.description" => "%{temp}" #Concat in Temp
    }
    }

mutate {
    merge => {
        "@output" => "event"
    }
    }


    statedump {
        "label" => "3"}

}

 

View solution in original post

Jump to Solution
4 REPLIES 4
Top Solution Authors
View all