Skip to main content

Error in parser

  • April 29, 2025
  • 1 reply
  • 18 views
spartan_07
Forum|alt.badge.img+2

This is a sample data : 

 

{ "ts": "2025-04-28T12:56:43.765882Z", "adminName": "PRA.DE@abc.com", "adminEmail": "PRA.D@abc.com", "adminId": "6693xxxx6693", "networkName": null, "networkId": null, "networkUrl": null, "ssidName": null, "ssidNumber": null, "page": "Policy objects", "label": "Policy object group object ids", "client": { "id": null, "type": null } }

 

 I have written a parser for this, 

 

filter { json { source => "message" array_function => "split_columns" on_error => "not_json_format" } mutate { replace => { "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT" } } json { source => "message" array_function => "split_columns" } if [networkId] != "" { mutate { replace => { "networkId_label.value.string_value" => "%{networkId}" } on_error => "networkId_empty" } if ![networkId_empty] { mutate { replace => { "networkId_label.key" => "networkId" } } mutate { merge => { "event1.idm.read_only_udm.additional.fields" => "networkId_label" } on_error => "networkId_label_empty" } } } if [networkUrl] != "" { mutate { replace => { "networkUrl_label.value.string_value" => "%{networkUrl}" } on_error => "networkUrl_empty" } if ![networkUrl_empty] { mutate { replace => { "networkUrl_label.key" => "networkUrl" } } mutate { merge => { "event1.idm.read_only_udm.additional.fields" => "networkUrl_label" } on_error => "networkUrl_label_empty" } } } if [networkName] != "" { mutate { replace => { "networkName_label.value.string_value" => "%{networkName}" } on_error => "networkName_empty" } if ![networkName_empty] { mutate { replace => { "networkName_label.key" => "networkName" } } mutate { merge => { "event1.idm.read_only_udm.additional.fields" => "networkName_label" } on_error => "networkName_label_empty" } } } statedump { label => "foo" } mutate { merge => { "@output" => "event1" } } }

 


Error Observed : 

 

generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: pipeline failed: filter conditional (4) failed: failed to evaluate expression: generic::invalid_argument: \\"networkId\\" not found in state data"

 


Even after putting check for blank value, it is throwing this error.
How to resolve it? Can anyone help me with this. 

    1 reply

    James_E
    Staff
    Forum|alt.badge.img+8
    • James_E
    • Staff
    • April 29, 2025

    It is typically best practice to initialize the variables at the top of the parser, but inside of the "filter" curly braces. What's happening if is you do the data extraction with the JSON function and there is no networkId in the log, it's going to error out trying to reference it because it doesn't exist.

    filter { //Declare variables inside the replace block mutate { replace => { networkId => "" } } //rest of parser code }

     

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.