This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Parse the value without converting into string

Posted on 10-15-2024 10:28 PM
sudeep_singh
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello All,

I want to parse the below mentioned log value in integer format only, but when i map it to additional.fields or 

security_result.about.resource.attribute.labels or about.lables it is taking it as a string, but i need the value as a integer. when i tried with additional.fileds.value.number_value it gave the error source filed must be a string.
 
Please refer this raw log:
"WAFRCEAttackScore": 90,
"WAFSQLiAttackScore": 98,
"WAFXSSAttackScore": 98

Please refer the parser code:
  if [WAFSQLiAttackScore] != "" {
      mutate {
        convert => {
          "WAFSQLiAttackScore" => "string"
        }
        on_error => "already_string"
      }
      mutate {
        replace => {
          "WAFSQLiAttackScore_label.value" => "%{WAFSQLiAttackScore}"
          "WAFSQLiAttackScore_label.key" => "WAFSQLiAttackScore"
        }
        on_error => "err"
      }
      mutate{
        merge => {
          "security_result.about.resource.attribute.labels" => "WAFSQLiAttackScore_label"
        }
        on_error => "err"
      }
    }
Solved Solved
0 2 475
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
sudeep_singh
Bronze 3
Bronze 3
In response to James_E
Reply posted on --/--/---- --:-- AM

Hi @James_E ,

The parser code you gave me i have already tried it didn't work, so after some research i found out a differrent method to get it parse. Please find the below parser code for your reference.


    if [WAFSQLiAttackScore] != "" {
      mutate{
        copy => {
          "security_result.risk_score" => "WAFSQLiAttackScore"
        }
      }
      mutate {
        merge => {
          "event.idm.read_only_udm.observer.security_result" => "security_result"
        }
      }
      mutate {
        remove_field => ["security_result"]
      }
    }

 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
James_E
Staff
Reply posted on --/--/---- --:-- AM

@sudeep_singh  Can you try the below? If you want it to be an integer, you need to convert it to an integer. The number_value should store it as a number within WAFSQLiAttachScore_label.value.

  if [WAFSQLiAttackScore] != "" {
      mutate {
        convert => {
          "WAFSQLiAttackScore" => "integer"
        }
        on_error => "already_string"
      }
      mutate {
        replace => {
          "WAFSQLiAttackScore_label.value.number_value" => "%{WAFSQLiAttackScore}"
          "WAFSQLiAttackScore_label.key" => "WAFSQLiAttackScore"
        }
        on_error => "err"
      }
      mutate{
        merge => {
          "security_result.about.resource.attribute.labels" => "WAFSQLiAttackScore_label"
        }
        on_error => "err"
      }
    }
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sudeep_singh
Bronze 3
Bronze 3
In response to James_E
Reply posted on --/--/---- --:-- AM

Hi @James_E ,

The parser code you gave me i have already tried it didn't work, so after some research i found out a differrent method to get it parse. Please find the below parser code for your reference.


    if [WAFSQLiAttackScore] != "" {
      mutate{
        copy => {
          "security_result.risk_score" => "WAFSQLiAttackScore"
        }
      }
      mutate {
        merge => {
          "event.idm.read_only_udm.observer.security_result" => "security_result"
        }
      }
      mutate {
        remove_field => ["security_result"]
      }
    }

 

Jump to Solution
0 Likes
Top Solution Authors
View all