This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

Parsing two IP in single field

Posted on 04-29-2025 05:37 AM
Rached1996
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello Community 
I'm working on a custom parser and i see that the ip in the raw log is in this format :

"AUDIT_SOURCE_IP": "147.1.1.1,34.1.1.7",

As you see two IP's in single field and getting this error while parsing :

generic::unknown: invalid event 0: LOG_PARSING_GENERATED_INVALID_EVENT: "field type check failed: field backstory.Noun.ip[0] \""147.1.1.1,34.1.1.7\" does not match type IP: invalid argument" 

how i can resolve that please ?

Solved Solved
0 1 166
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
TomAtGoogle
Staff
Reply posted on --/--/---- --:-- AM

This one is actually pretty simple.  Just iterate through the IP list and add them to the UDM field one at a time.

 

if [IP] != "" {
     for myIP in AUDIT_SOURCE_IP {
          mutate {
               merge => {
                    "event.idm.read_only_udm.principal.ip" => "%[myIP]"
               }
               on_error => "zerror.no_principal_ip"
          }
     }
}

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
TomAtGoogle
Staff
Reply posted on --/--/---- --:-- AM

This one is actually pretty simple.  Just iterate through the IP list and add them to the UDM field one at a time.

 

if [IP] != "" {
     for myIP in AUDIT_SOURCE_IP {
          mutate {
               merge => {
                    "event.idm.read_only_udm.principal.ip" => "%[myIP]"
               }
               on_error => "zerror.no_principal_ip"
          }
     }
}

Jump to Solution
Top Solution Authors
View all