This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Use parser extension to remove field mapping

Posted on 12-14-2023 06:42 AM
lukas-lr
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi everyone,

Is there a way to delete a field value by using a parser extension? I want to "move" a value from one UDM field to the other, leaving the UDM field used by the default parser empty. However, I could not find an explicit way to set it to null or empty, such that the value set by the default parser is removed from the UDM event.

Solved Solved
0 3 543
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

You can't remove a mapping from the default parser is my understanding of using Parser Extensions.

You can write a GROK extension to take the original value from the raw log into a new UDM field, but if you add a value as empty then the original UDM value will be used.

I think this would be a FR for Parser Extensions to support this, or else an update to the default parser via support.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

You can use mutate to store the values in different udm field. What's your use case for keeping the UDM empty? AFAIK blank UDM field will not be visible in UDM Events.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
lukas-lr
Bronze 4
Bronze 4
In response to deeshu
Reply posted on --/--/---- --:-- AM

In some events, the default parser writes data fields containing two different hosts in fields of the principal noun. I want to separate that, so there is no confusion for example which host a process id belongs to. But since there is no process id in the raw log for the host which I want to have in the principal, I have to remove it from there. Just setting it blank is ignored by the logic which merges the original event which the one from the extension.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

You can't remove a mapping from the default parser is my understanding of using Parser Extensions.

You can write a GROK extension to take the original value from the raw log into a new UDM field, but if you add a value as empty then the original UDM value will be used.

I think this would be a FR for Parser Extensions to support this, or else an update to the default parser via support.

Jump to Solution
Top Solution Authors
View all