Parsing Error

asinghz297 · 02-12-2025 11:10 PM

filter {
json {
source => "message"
array_function => "split_columns"
}

mutate {
replace => { 
"sourceIPAddress" => ""
"event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
}
}


for k, v in Records map {
if [v][sourceIPAddress] not in ["", "null", "None"] {
mutate {
replace => {
"event1.idm.read_only_udm.principal.ip" => "%{v.sourceIPAddress}"
}
}
}
}

statedump{
label => "foo"
}



mutate {
merge => { "@output" => "event1" }
}

}

This is my parser. and here is my sample log.

{

  "Records": [

    {

      "responseElements": null,

      "sourceIPAddress": "13.200.103.212",

      "tlsDetails": {

        "tlsVersion": "TLSv1.3"

      },

      "userAgent": "[aws-sdk-go/1.44.315 (go1.21.3; linux; amd64)]"

    }

  ]

}

This is the erro I am facing.

generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \"idm\": index 0: recursive rawDataToProto failed: field \"read_only_udm\": index 0: recursive rawDataToProto failed: field \"principal\": index 0: recursive rawDataToProto failed: field \"ip\": failed to make strategy: received non-slice or non-array raw output for repeated field"

Can someone help me solve this?

mikewilusz

The principal.ip field is a repeated/array field. As-such, you'll need to use "merge" rather than "replace" to append values to the array. Details here: https://cloud.google.com/chronicle/docs/reference/parser-syntax#merge_function

-mike

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

Parsing Error

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps