Doubt in Json Parser

{
  "Records": [
    {
      "awsRegion": "ap-south-1",
      "eventCategory": "Data",
      "eventName": "GetObject",
      "eventSource": "s3.amazonaws.com",
      "eventTime": "2025-01-08T14:22:14Z",
      "eventType": "AwsApiCall",
      "resources": [
        {
          "ARN": "arn:aws:s3:::abc/fake/5a660ee115645811/1942c4f7458e:1944564ta60:84a2d733",
          "type": "AWS::S3::Object"
        },
        {
          "ARN": "arn:aws:s3:::abc",
          "accountId": "352484409731",
          "type": "AWS::S3::Bucket"
        }
      ],
      "responseElements": null,
      "sourceIPAddress": "13.200.103.212"
    }
  ]
}

This is my sample log.
and here is my parser.

filter {
        json {
        source => "message"
        array_function => "split_columns"
        on_error => "not_json_format"
        }

    mutate {
      replace => {
        "src_present" => "false"
        "event1.idm.read_only_udm.metadata.vendor_name" => "AWS"
        "event1.idm.read_only_udm.metadata.product_name" => "CLOUDTRAIL"
        "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
        }
    }



    for k, v in Records map {
        for x, y in v.resources[0] map { }


        if [v][sourceIPAddress] not in ["", "null", "None"] {

            mutate {
                replace => {
                    "src_present" => "true"
                }
            }

            mutate {
                merge => {
                    "event1.idm.read_only_udm.principal.ip" => "v.sourceIPAddress"
                }
                on_error => "principal_ip_not_set"
            }
        }
    }

    statedump{
        label => "foo"
    }

    mutate {
      merge => { "@output" => "event1" }
    }
}

How am I supposed to access the ARN in the resources array first element ? i.e (arn:aws:s3:::abc/fake/5a660ee115645811/1942c4f7458e:1944564ta60:84a2d733)

Can anyone help me in this?

Page 1 / 1

Here is a modified version that you can use. I didn't loop through the resources but you can. Also accessing the ARN and mapping to hostname just to show how to access that field.

filter {
        json {
        source => "message"
        array_function => "split_columns"
        on_error => "not_json_format"
        }

    mutate {
      replace => {
        "src_present" => "false"
        "event1.idm.read_only_udm.metadata.vendor_name" => "AWS"
        "event1.idm.read_only_udm.metadata.product_name" => "CLOUDTRAIL"
        "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
        }
    }

    for index, record in Records {

        if [record][sourceIPAddress] not in ["", "null", "None"] {
            mutate {
                replace => {
                    "src_present" => "true"
                }
            }

            mutate {
              replace => {
                    "event1.idm.read_only_udm.principal.hostname" => "%{record.resources.0.ARN}"
              }
              on_error => "principal_ip_not_set"
            }

            mutate {
                merge => {
                    "event1.idm.read_only_udm.principal.ip" => "record.sourceIPAddress"
                }
                on_error => "principal_ip_not_set"
            }
        }
    }

    statedump{ label => "foo" }

    mutate {
      merge => { "@output" => "event1" }
    }
}

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded