Custom Parser Received non-slice or non-array raw output for repeated field"

Question

Good Day,I am trying to parse the following log and I want to map it to  security_result.summary but I am getting the following error..."failed to make strategy: received non-slice or non-array raw output for repeated field".  I feel like I am missing something really simple here but not sure {"ACTION": "Login"}generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \"idm\": index 0: recursive rawDataToProto failed: field \"read_only_udm\": index 0: recursive rawDataToProto failed: field \"security_result\": failed to make strategy: received non-slice or non-array raw output for repeated field"  if [ACTION] != "" {mutate {        replace => {          "summary" => "%{ACTION}"        }      }    mutate {      replace => {        "security_result.summary" => "%{summary}"      }    }    mutate {      merge => {        "event.idm.read_only_udm.security_result.summary" => "security_result.summary"      }    }}

mikewilusz · Accepted Answer

You're close! Something to keep in mind is that is that summary is only a string and not a repeated field. So what you're doing is correct where you're putting that string into security_result.summary, but for the merge you're actually trying to merge that string field into UDM directly. Now that you have your security_result object(with the summary string in it), you'll want to merge that object into UDM, so something like this:

mutate {

  merge => {

    "event.idm.read_only_udm.security_result" => "security_result"

}

Any more questions/issues let me know.

-mike

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded