This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Understanding convert in parsing

Posted on 12-27-2023 12:43 AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

Hello Team, we encountered an error while trying to convert a field to a string. We tried converting to string, but again we encountered same error.

Error - "generic::invalid_argument: pipeline failed: filter mutate (30) failed: replace failure: field \"startTime.value\": source field \"startTime\": source field value must be a string"

Please find the below code 

if [startTime] != "" and [startTime] != "--" {

mutate {
convert => {
"startTime" => "string"
}
on_error => "status_already_string"
}

mutate {
replace => {
"startTime.key" => "Start Time"
"startTime.value" => "%{startTime}"

}
merge => {
"security_result.detection_fields" => "startTime"
}
}
}



 

Solved Solved
0 2 427
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
lukas-lr
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

The problem might be that you use the same variable name for the original string and the dictionary. I.e. try to change your code to

if [startTime] != "" and [startTime] != "--" {

mutate {
convert => {
"startTime" => "string"
}
on_error => "status_already_string"
}

mutate {
replace => {
"startTimeLabel.key" => "Start Time"
"startTimeLabel.value" => "%{startTime}"

}
merge => {
"security_result.detection_fields" => "startTimeLabel"
}
}
}

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2
Top Solution Authors
View all