Skip to main content
Question

Can I use the value of metadata.event_type in parser extension?

  • February 6, 2026
  • 2 replies
  • 8 views
Lupin III
Forum|alt.badge.img

Hi guys,

I’ve been stuck on this for a few days and could use some help.

What I’m trying to do is reference the value of metadata.event_type that’s set by the prebuilt parser and then use that value in an IF condition within a parser extension.

Below is a simple example of what I’m attempting to do.

Any guidance or clarification would be really appreciated.
Thanks!

 

Prebuilt parser:

metadata.event_type: USER_LOGIN

 

Parser Extension:

filter {

    if ["event.idm.read_only_udm.metadata.event_type"] == "USER_LOGIN" {

        mutate {

            replace => {

                "event.idm.read_only_udm.metadata.description" => "Fujiko"

            }

        }

    }

    mutate {

        merge => {

            "@output" => "event"

        }

    }

}

 

 

Since the IF condition is met, metadata.description should be populated with “Fujiko”.

This is being done in Google Chronicle.

2 replies

citreno
Forum|alt.badge.img+6
  • citrenoBronze 1
  • Bronze 1
  • February 6, 2026

Unfortunately no, the extension doesn't get the current parser state. You would have to somehow copy the logic that the underlying parser uses or define your own cleaner logic and overwrite event_type perhaps.

Lupin III
Forum|alt.badge.img
  • Lupin III
  • Author
  • New Member
  • February 6, 2026

The other problem is that there’s a lot of logic in the prebuilt parser, so it’s pretty hard to go through all of it.

Anyway, thanks for the response!

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.