Solved: Understanding convert in parsing

Former Community Member · 12-27-2023 12:43 AM

Hello Team, we encountered an error while trying to convert a field to a string. We tried converting to string, but again we encountered same error.

Error - "generic::invalid_argument: pipeline failed: filter mutate (30) failed: replace failure: field \"startTime.value\": source field \"startTime\": source field value must be a string"

Please find the below code

if [startTime] != "" and [startTime] != "--" {

mutate {
convert => {
"startTime" => "string"
}
on_error => "status_already_string"
}

mutate {
replace => {
"startTime.key" => "Start Time"
"startTime.value" => "%{startTime}"

}
merge => {
"security_result.detection_fields" => "startTime"
}
}
}

lukas-lr

The problem might be that you use the same variable name for the original string and the dictionary. I.e. try to change your code to

if [startTime] != "" and [startTime] != "--" {

mutate {
convert => {
"startTime" => "string"
}
on_error => "status_already_string"
}

mutate {
replace => {
"startTimeLabel.key" => "Start Time"
"startTimeLabel.value" => "%{startTime}"

}
merge => {
"security_result.detection_fields" => "startTimeLabel"
}
}
}

View solution in original post

lukas-lr

The problem might be that you use the same variable name for the original string and the dictionary. I.e. try to change your code to

if [startTime] != "" and [startTime] != "--" {

mutate {
convert => {
"startTime" => "string"
}
on_error => "status_already_string"
}

mutate {
replace => {
"startTimeLabel.key" => "Start Time"
"startTimeLabel.value" => "%{startTime}"

}
merge => {
"security_result.detection_fields" => "startTimeLabel"
}
}
}

Former Community Member

Thank you

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

Understanding convert in parsing