This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Custom Parser Received non-slice or non-array raw output for repeated field"

Posted Monday
Rmoss
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM
Good Day,
I am trying to parse the following log and I want to map it to  security_result.summary but I am getting the following error..."failed to make strategy: received non-slice or non-array raw output for repeated field".  I feel like I am missing something really simple here but not sure
 
{
"ACTION": "Login"
}
generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \"idm\": index 0: recursive rawDataToProto failed: field \"read_only_udm\": index 0: recursive rawDataToProto failed: field \"security_result\": failed to make strategy: received non-slice or non-array raw output for repeated field"
 
 
if [ACTION] != "" {
mutate {
        replace => {
          "summary" => "%{ACTION}"
        }
      }
    mutate {
      replace => {
        "security_result.summary" => "%{summary}"
      }
    }
    mutate {
      merge => {
        "event.idm.read_only_udm.security_result.summary" => "security_result.summary"
      }
    }
}
 
Solved Solved
0 1 60
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

You're close! Something to keep in mind is that is that summary is only a string and not a repeated field. So what you're doing is correct where you're putting that string into security_result.summary, but for the merge you're actually trying to merge that string field into UDM directly. Now that you have your security_result object(with the summary string in it), you'll want to merge that object into UDM, so something like this:

 

 

mutate {
  merge => {
    "event.idm.read_only_udm.security_result" => "security_result"
}

 

 Any more questions/issues let me know.

-mike

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

You're close! Something to keep in mind is that is that summary is only a string and not a repeated field. So what you're doing is correct where you're putting that string into security_result.summary, but for the merge you're actually trying to merge that string field into UDM directly. Now that you have your security_result object(with the summary string in it), you'll want to merge that object into UDM, so something like this:

 

 

mutate {
  merge => {
    "event.idm.read_only_udm.security_result" => "security_result"
}

 

 Any more questions/issues let me know.

-mike

Jump to Solution
0 Likes
Top Solution Authors
View all