This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community is upgrading platforms!

Read more and check out our FAQ
Log in to ask a question

Multi Event Parsing

Posted on 01-22-2025 05:21 AM
samryanturner
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I have a log source that can group json objects into a single raw log. I've checked out - https://cloud.google.com/chronicle/docs/reference/parser-syntax#generating_output_-_multiple_events

is there a way to dynamically iterate over the index, increment it and output each UDM event? something like -

 

for event in events {

mutate {
replace => {
"index" => 0
}
}

       if [ip] != "" {
        mutate {
            merge =>{
                "udm_event%{index}.idm.read_only_udm.target.ip" => "ip"
            }
        }
        }

    mutate {
        merge => {
            "@output" => "udm_event%{index}"
        }
    }
%{index}++
}

 

Additional context is that they come in as json objects within a list. I've got them all split out but would like them to be parsed into separate UDM events as opposed to one UDM event with array fields.

Solved Solved
1 2 274
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
samryanturner
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I think I see this is unnecessary, you can cast the udm to udm_event inside the loop, then reset it to null at the beginning.

Wouldn't mind someone confirming that is best practice however? Validated and working on my end.

filter{ 
 for k,v in messageSplit {

        mutate {
            replace => {
                "udm_event" => ""
            }
        }


 # MAP DATA HERE

     # Create UDM event inside loop
        mutate {
            merge => {
                "@output" => "udm_event"
            }
        }
 } 
}

 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
samryanturner
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I think I see this is unnecessary, you can cast the udm to udm_event inside the loop, then reset it to null at the beginning.

Wouldn't mind someone confirming that is best practice however? Validated and working on my end.

filter{ 
 for k,v in messageSplit {

        mutate {
            replace => {
                "udm_event" => ""
            }
        }


 # MAP DATA HERE

     # Create UDM event inside loop
        mutate {
            merge => {
                "@output" => "udm_event"
            }
        }
 } 
}

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
rajukg
Staff
In response to samryanturner
Reply posted on --/--/---- --:-- AM

This is exactly how you would iterate the logs in an array and then generate the UDM event for each log in the loop.

Jump to Solution
Top Solution Authors
View all