Skip to main content

Namaste Team,

I'm not sure what is wrong with my code, but I am getting the following error while populating the intermediary nat IP address.

Error: generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \\"idm\\": index 0: recursive rawDataToProto failed: field \\"read_only_udm\\": index 0: recursive rawDataToProto failed: field \\"intermediary_nat\\": no descriptor found"

Code I have written:

if [_collector_internal_ip_address] not in [ "","-" ] {
grok {
match => {
"_collector_internal_ip_address" => [ "%{IP:natip}" ]
}
overwrite => ["natip"]
on_error => "not_valid_natip"
}
}

if ![not_valid_natip] {
mutate {
merge => {
"event.idm.read_only_udm.intermediary_nat.ip" => "natip"
}
}
}

Let me know what I am doing wrong here.

Thanks,
Indrajeet Deshmukh



There is no intermediary_nat field.  Try:
"event.idm.read_only_udm.intermediary.ip" => "natip"

@Indrajeet_D 

Here is how I would parse this value. 

your code

Code I have written:
if [_collector_internal_ip_address] not in [ "","-" ] {
grok {
match => {
"_collector_internal_ip_address" => [ "%{IP:natip}" ]
}
overwrite => ["natip"]
on_error => "not_valid_natip"
}
}

if ![not_valid_natip] {
mutate {
merge => {
"event.idm.read_only_udm.intermediary_nat.ip" => "natip"
}
}
}


No need to check if _collector_internal_ip_address is blank or _ .
- The grok filter with IP match will handle the error handling.
- If the value is an IP and the on_error equal false it will map the IP to the correct UDM value.

The logic here if ![zerror][GROK_x_int_nat_ip]  is checking if zerror.GROK_x_int_nat_ip is false. If so will merge the ip into  x_intermediary.nat_ip.
To check if an on_error is true remove the ! . It will look like this if [zerror][GROK_x_int_nat_ip] 

Intermediary is a repeated field, so you will also need to merge x_intermediary into intermediary.


my code 

filter { 
    mutate {
        replace => {
            "x_intermediary" => ""
        }
    }
    # Grok natip
    grok {
        match => {
            "natip" => [
               "%{IP:x_int_ip}"
            ]
        }
        overwrite => ["x_int_nat_ip"]
        on_error => "zerror.GROK_x_int_ip"
    }
    if ![zerror][GROK_x_int_nat_ip] {
        mutate {
            merge => {
               "x_intermediary.nat_ip" => "x_int_nat_ip"
            }
        }
    }

    if [x_intermediary] != "" {
        mutate {
            merge => {
                "event.idm.read_only_udm.intermediary" => "x_intermediary"
            }
            on_error => "no_intermediary1"
        }
    }

    #statedump{}
    mutate {
        merge => {
            "@output" => "event"
        }
    }
}

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.