Skip to main content

Hello everyone,

I'm trying to parse a json object that has several json-like attributes. Also, I'm trying to parse a json array, and after I renamed and merged the fields to UDM, I'm facing this error:

generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \\"idm\\": index 0: recursive rawDataToProto failed: field \\"read_only_udm\\": index 0: recursive rawDataToProto failed: field \\"about\\": failed to make strategy: received non-slice or non-array raw output for repeated field""

This is my parser extension:

filter {
mutate {
replace => {
"Entities" => ""
"Country" => ""
"City" => ""
"SourceAddressResolution" => ""
"Asn" => ""
"Carrier" => ""

}
}

json {
source => "message"
array_function => "split_columns"
on_error => "not_json_message"
}

if [Entities] != "" {
mutate {
replace => {
"Entities" => "{\\"js_array\\":%{Entities}}"
}
}

json {
source => "Entities"
array_function => "split_columns"
target => "Entities"
on_error => "not_json_array"
}

for entity in Entities.js_array {

mutate {
replace => {
"Country" => "%{entity.SourceAddress.Location.CountryName}"
}
on_error => "not_country_or_region"
}

if ![not_country_or_region] {
mutate {
replace => {
"about.location.country_or_region" => "%{Country}"
}
}
}

mutate {
replace => {
"City" => "%{entity.SourceAddress.Location.City}"
}
on_error => "not_city"
}

if ![not_city] {
mutate {
replace => {
"about.location.city" => "%{City}"
}
}
}

mutate {
replace => {
"SourceAddressResolution" => "%{entity.SourceAddress.Address}"
}
on_error => "not_ip"
}

if ![not_ip] {
mutate {
replace => {
"network.ip" => "%{SourceAddressResolution}"
}
}
}

mutate {
replace => {
"Asn" => "%{entity.SourceAddress.Location.Asn}"
}
on_error => "not_asn"
}

if ![not_asn] {
mutate {
replace => {
"network.asn" => "%{Asn}"
}
}
}

mutate {
replace => {
"Carrier" => "%{entity.SourceAddress.Location.Carrier}"
}
on_error => "not_carrier"
}

if ![not_carrier] {
mutate {
replace => {
"network.carrier_name" => "%{Carrier}"
}
}
}
}
}

if [about] != "" {
mutate {
rename => {
"about" => "event.idm.read_only_udm.about"
}
on_error => "not_valid_about"
}
}

if [network] != "" {
mutate {
merge => {
"event.idm.read_only_udm.network" => "network"
}
on_error => "not_valid_network"
}
}

if ![not_valid_network] and ![not_valid_about] {
mutate {
merge => {
"@output" => "event"
}
on_error => "not_valid_event"
}
}

statedump {
label => "verifying"
}

}

If you take a look at the UDM documentation for "about" you'll see that this is a repeated field. With repeated fields, you'll need to use the merge function to merge it into the repeated field. Details on merge are available here. As someone that's been bit by this before, you'll learn that anytime you see the error "received non-slice or non-array raw output for repeated field" that's telling you you're trying to put data into UDM repeated fields but you didn't use a merge to do it.


-mike

If you take a look at the UDM documentation for "about" you'll see that this is a repeated field. With repeated fields, you'll need to use the merge function to merge it into the repeated field. Details on merge are available here. As someone that's been bit by this before, you'll learn that anytime you see the error "received non-slice or non-array raw output for repeated field" that's telling you you're trying to put data into UDM repeated fields but you didn't use a merge to do it.


-mike


Thank you very much @mikewilusz , the references helped me and I was able to understand the problem.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.