Skip to main content

This is a sample data : 

 

{
"ts": "2025-04-28T12:56:43.765882Z",
"adminName": "PRA.DE@abc.com",
"adminEmail": "PRA.D@abc.com",
"adminId": "6693xxxx6693",
"networkName": null,
"networkId": null,
"networkUrl": null,
"ssidName": null,
"ssidNumber": null,
"page": "Policy objects",
"label": "Policy object group object ids",
"client": {
"id": null,
"type": null
}
}

 

 I have written a parser for this, 

 

filter {
json {
source => "message"
array_function => "split_columns"
on_error => "not_json_format"
}

mutate {
replace => {
"event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
}
}


json {
source => "message"
array_function => "split_columns"
}


if [networkId] != "" {
mutate {
replace => {
"networkId_label.value.string_value" => "%{networkId}"
}
on_error => "networkId_empty"
}
if ![networkId_empty] {
mutate {
replace => {
"networkId_label.key" => "networkId"
}
}
mutate {
merge => {
"event1.idm.read_only_udm.additional.fields" =>
"networkId_label"
}
on_error => "networkId_label_empty"
}
}
}



if [networkUrl] != "" {
mutate {
replace => {
"networkUrl_label.value.string_value" => "%{networkUrl}"
}
on_error => "networkUrl_empty"
}
if ![networkUrl_empty] {
mutate {
replace => {
"networkUrl_label.key" => "networkUrl"
}
}
mutate {
merge => {
"event1.idm.read_only_udm.additional.fields" =>
"networkUrl_label"
}
on_error => "networkUrl_label_empty"
}
}
}


if [networkName] != "" {
mutate {
replace => {
"networkName_label.value.string_value" => "%{networkName}"
}
on_error => "networkName_empty"
}
if ![networkName_empty] {
mutate {
replace => {
"networkName_label.key" => "networkName"
}
}
mutate {
merge => {
"event1.idm.read_only_udm.additional.fields" =>
"networkName_label"
}
on_error => "networkName_label_empty"
}
}
}

statedump {
label => "foo"
}

mutate {
merge => { "@output" => "event1" }
}
}

 


Error Observed : 

 

generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: pipeline failed: filter conditional (4) failed: failed to evaluate expression: generic::invalid_argument: \\"networkId\\" not found in state data"

 


Even after putting check for blank value, it is throwing this error.
How to resolve it? Can anyone help me with this. 

It is typically best practice to initialize the variables at the top of the parser, but inside of the "filter" curly braces. What's happening if is you do the data extraction with the JSON function and there is no networkId in the log, it's going to error out trying to reference it because it doesn't exist.


filter {
//Declare variables inside the replace block
mutate {
replace => {
networkId => ""
}
}

//rest of parser code
}

 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.