This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

Merge function does not append, it's just overwriting for this event field - "event.idm.read_only_ud

Posted on 02-28-2024 01:16 AM
AfvanJaffer
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi 

I'm trying to append a new label into the "event.idm.read_only_udm.target.resource.attribute.labels" field in the event.

But when I try =>  creating a new label and merging it with the above event overwrites the values itself, dont append to it.

Below is the code snippet:


filter {
json {
source => "message"
array_function => "split_columns"
}
 
grok {
match => {
"textPayload" => [
'%{TIMESTAMP_ISO8601:istio_timestamp}\] \\"%{WORD:method} (?:%{URIPATH:uri_path}(?:%{URIPARAM:uri_param})?|%{DATA}) %{DATA:protocol}" %{NUMBER:status_code} %{DATA:response_flags} %{NUMBER:bytes_received} %{NUMBER:bytes_sent} %{NUMBER:duration} (?:%{NUMBER:upstream_service_time}|%{DATA:tcp_service_time}) "%{DATA:forwarded_for}" "%{DATA:user_agent}" "%{DATA:request_id}" "%{DATA:authority}" "%{DATA:upstream_service}"'
]
}
}

mutate {
replace => {
"_labels.value" => "%{authority}"
"_labels.key" => "authority"
}
}
 
mutate {
merge => {
"event.idm.read_only_udm.target.resource.attribute.labels" => "_labels"
}
}

mutate {
merge => {
"@output" => "event"
}
}

statedump {}
}






Solved Solved
1 3 263
Topic Labels
Jump to Solution
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Instead of "_labels.value" try "_labels.value.string_value". 

Instead of "event.idm.read_only_udm.target.resource.attribute.labels" try 

"event.idm.read_only_udm.additional.fields". 

View solution in original post

Jump to Solution
0 Likes
Reply
3 REPLIES 3

Posted on --/--/---- --:-- AM
DanHansen
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

If I'm not mistaken merge with a string field won't append. I think everything else is fine it's just not a function of merge to do that there?

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
citreno
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,


Are you trying to use an extension? if so a parser extension will overwrite any repeated field, I'd recommend to pick a repeated field that is not currently in use. Unfortunately that's the only way, unless you modify the underlying parser.

Jump to Solution
Reply

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Instead of "_labels.value" try "_labels.value.string_value". 

Instead of "event.idm.read_only_udm.target.resource.attribute.labels" try 

"event.idm.read_only_udm.additional.fields". 
Jump to Solution
0 Likes
Reply
Top Solution Authors
View all