This is a sample data :
{
"ts": "2025-04-28T12:56:43.765882Z",
"adminName": "PRA.DE@abc.com",
"adminEmail": "PRA.D@abc.com",
"adminId": "6693xxxx6693",
"networkName": null,
"networkId": null,
"networkUrl": null,
"ssidName": null,
"ssidNumber": null,
"page": "Policy objects",
"label": "Policy object group object ids",
"client": {
"id": null,
"type": null
}
}
I have written a parser for this,
filter {
json {
source => "message"
array_function => "split_columns"
on_error => "not_json_format"
}
mutate {
replace => {
"event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
}
}
json {
source => "message"
array_function => "split_columns"
}
if [networkId] != "" {
mutate {
replace => {
"networkId_label.value.string_value" => "%{networkId}"
}
on_error => "networkId_empty"
}
if ![networkId_empty] {
mutate {
replace => {
"networkId_label.key" => "networkId"
}
}
mutate {
merge => {
"event1.idm.read_only_udm.additional.fields" =>
"networkId_label"
}
on_error => "networkId_label_empty"
}
}
}
if [networkUrl] != "" {
mutate {
replace => {
"networkUrl_label.value.string_value" => "%{networkUrl}"
}
on_error => "networkUrl_empty"
}
if ![networkUrl_empty] {
mutate {
replace => {
"networkUrl_label.key" => "networkUrl"
}
}
mutate {
merge => {
"event1.idm.read_only_udm.additional.fields" =>
"networkUrl_label"
}
on_error => "networkUrl_label_empty"
}
}
}
if [networkName] != "" {
mutate {
replace => {
"networkName_label.value.string_value" => "%{networkName}"
}
on_error => "networkName_empty"
}
if ![networkName_empty] {
mutate {
replace => {
"networkName_label.key" => "networkName"
}
}
mutate {
merge => {
"event1.idm.read_only_udm.additional.fields" =>
"networkName_label"
}
on_error => "networkName_label_empty"
}
}
}
statedump {
label => "foo"
}
mutate {
merge => { "@output" => "event1" }
}
}
Error Observed :
generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: pipeline failed: filter conditional (4) failed: failed to evaluate expression: generic::invalid_argument: \"networkId\" not found in state data"
Even after putting check for blank value, it is throwing this error.
How to resolve it? Can anyone help me with this.
LinkedIn
Twitter
