Skip to main content
Question

Handling nested JSON in an extension parser

  • January 19, 2026
  • 1 reply
  • 43 views
L

I have this nested JSON:

 

"jsonPayload": {
"message": "\"id2\":{\"timestamp\":\"2026-01-19 03:15:20\", \"app_name\": \"test1234\", \"client_port\": \"2233\", \"client_host\": \"hostName\"},
}

I wrote this code snippet but it doesn't work, can you tell me why?

filter {
    mutate {
        replace => {
            "client_port" => ""
        }
    }
    grok {
        match => {
            "jsonPayload.message" => ["client_port=(?P<client_port>[0-9]+)"]
        }
        overwrite => ["client_port"]
        on_error => "client_port_not_present"
    }
    statedump{}
    mutate {
        rename => {
            "client_port" => "event.idm.read_only_udm.principal.port"
        }
    }
    mutate {
      convert => {
        "event.idm.read_only_udm.principal.port" => "integer"
      }
    }
    mutate {
        merge => {
            "@output" => "event"
        }
    }
}

 

I want to extract the value of the client_port field and map it to the UDM principal.port field

Thanks in advance for your support.

1 reply

James_E
Staff
Forum|alt.badge.img+8
  • James_E
  • Staff
  • January 22, 2026

The first problem is your JSON you shared is not valid JSON, so I will use the following example instead.

Assuming we have the following JSON event...

{
   "resource":{
      "type":"k8s_container",
      "labels":{
         "container_name":"test-container",
         "namespace_name":"default",
         "location":"us-west1-a",
         "project_id":"abc-123",
         "cluster_name":"test-cluster",
         "pod_name":"test-pod-123"
      }
   }
}

We can use a for loop and the `map` keyword to iterate over the key-value pairs.

filter {
  json {
    source => "message"
    on_error => "json_failure
    array_function => "split_columns"
  }
  for key, value in resource.labels map {
    mutate {
      replace => {
        "test.key" => "%{key}"
        "test.value" => "%{value}"
      }
    }
  statedump {}
  }
}

This would loop through all of the key-value pairs inside the `resource.labels` dict giving us the following key-value pairs at each iteration that can then be used to set the UDM fields.

1st Iteration
"key": "cluster_name",
"value": "test-cluster"

2nd Iteration
"key": "container_name",
"value": "test-container"

3rd Iteration
"key": "location",
"value": "us-west1-a"

etc...

If we wanted to do the same thing inside of a nested object, we can use a nested for loop and map such as in this example.

JSON event:

{
   "resource":{
      "type":"k8s_container",
      "labels":{
         "container_name":"test-container",
         "namespace_name":"default",
         "location":{
            "code":"us-west1-a",
            "country":"US"
         },
         "cluster_name":"test-cluster",
         "pod_name":"test-pod-123"
      }
   }
}

Parser code:

filter {
  json {
    source => "message"
    on_error => "json_failure
    array_function => "split_columns"
  }
  for key, value in resource.labels map {
    mutate {
      replace => {
        "test.key" => "%{key}"
      }
    }
    mutate {
      replace => {
        "test.value" => "%{value}"
      }
      on_error => "nested_key"
    }
    if [test][key] == "location" {
      for nestedKey, nestedValue in value map {
        mutate {
          replace => {
            "locationLabel.key" => "%{nestedKey}"
            "locationLabel.value" => "%{nestedValue}"
          }
        }
        statedump {}
      }
    }
  }
}

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.