Skip to main content

How can we grab a specific field and its value from an unparsed JSON ingested from source tools?

  • July 31, 2023
  • 10 replies
  • 50 views
K
Forum|alt.badge.img+4

How can we grab a specific field and its value from an unparsed JSON ingested from source tools? I'm attaching an example unparsed JSON here and I need to grab the value of the field "LastMessageRcptCount" (which is 117). Thank you!
{"f3u":"DLITTLE@Null.COM","ev":"DLITTLE@Null.COM","rs":"EmailSendingLimitExceeded;InternalRecipientCountToday=3;ExternalRecipientCountToday=1;ExceedingLimitType=External;Last MessagetraceId=Null;LastMessageRcptCount=117;CIP=Null;AS:45002","adt":"Generated by OBP2SenderRepService - Object Store: 1535;SpamRule=45002;","evnt":"Listed","ts":"2023-06-05T15:36:00.0000000Z","te":"2023-06-05T15:37:00.0000000Z","op":"EmailSendingLimitExceeded","wl":"SecurityComplianceCenter","tid":"Null","tdc":"1","reid":"Null","rid":"Null","cid":"Null","ad":"User has exceeded their email sending limit and the action defined within the Outbound Spam policy has been applied. -V1.0.0.0","lon":"EmailSendingLimitExceeded","an":"Email sending limit exceeded","sev":"Medium"} Any specific playbook actions that can help us achieve this within playbooks?

    10 replies

    R
    Forum|alt.badge.img+9
    • recon_acook
    • New Member
    • July 31, 2023

    Two options I think apply here:
    Input this into the Buffer action (from Tools power up) and then parse it with the built-in JSON filters
    Input this into Render Template from TemplateEngine power up and then parse it with Jinja

    K
    Forum|alt.badge.img+4
    • krunalm
    • Author
    • New Member
    • July 31, 2023

    I've tried using the JSON filters, specifically the "filter" action but never had it working. Any idea how would I do that?

    R
    Forum|alt.badge.img+9
    • recon_acook
    • New Member
    • July 31, 2023

    If the action is already produces JSON, you won't need Buffer

    R
    Forum|alt.badge.img+9
    • recon_acook
    • New Member
    • July 31, 2023

    https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-the-expression-builder
    https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/use-cases-for-expression-builder

    K
    Forum|alt.badge.img+4
    • krunalm
    • Author
    • New Member
    • July 31, 2023

    The problem is - the output from buffer is a JSON with key "rs" which contains multiple field names within it separated by ";" - my requirement is to fetch a specific field and its value from that "rs" field

    K
    Forum|alt.badge.img+4
    • krunalm
    • Author
    • New Member
    • July 31, 2023

    Thank you so much this information though!

    R
    Forum|alt.badge.img+9
    • recon_acook
    • New Member
    • July 31, 2023

    Oh, I see now. Let me take another pass when I get a chance

    K
    Forum|alt.badge.img+4
    • krunalm
    • Author
    • New Member
    • July 31, 2023

    TY!

    M
    Forum|alt.badge.img
    • Mailliw
    • New Member
    • October 15, 2024

    Hello Krunalm,

    I am actually facing the same issue, i know it's been a while but have you been able to find a solution?

    f3rz
    Staff
    Forum|alt.badge.img+10
    • f3rz
    • Staff
    • October 15, 2024

    @krunalm you can use string function + regex to achieve this:

    I used buffer just to store this json somewhere so buffer is not required if this is returned by some other action or you get it via some placeholder:

     

    Regex that I've used: (?<=LastMessageRcptCount=)\\d{1,3}

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.