This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Repeated fields overwritten in parser extension (code)

Posted on 11-06-2024 05:06 AM
chrisd2
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello everyone,

I wrote a parser extension ("code" mode) for a log_type in order to add a couple fields that were not handled by the default parser.
I mapped a couple raw fields to UDM fields under security_result in the parser ext.

Problem: I noticed that this configuration was overwriting the security_result field parsed by the default parser.

I saw in the docs that in "no-code" parser extensions, there was the option to append values to repeated fields instead of overwriting them. How can I configure the same behavior for my "code" parser extension ?

 

Solved Solved
0 7 420
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cbryant
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

To my knowledge, there is no way to append repeated fields with a CBN snippet. 

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7
Top Solution Authors
View all