How can we grab a specific field and its value from an unparsed JSON ingested from source tools? I'm attaching an example unparsed JSON here and I need to grab the value of the field "LastMessageRcptCount" (which is 117). Thank you!
{"f3u":"DLITTLE@Null.COM","ev":"DLITTLE@Null.COM","rs":"EmailSendingLimitExceeded;InternalRecipientCountToday=3;ExternalRecipientCountToday=1;ExceedingLimitType=External;Last MessagetraceId=Null;LastMessageRcptCount=117;CIP=Null;AS:45002","adt":"Generated by OBP2SenderRepService - Object Store: 1535;SpamRule=45002;","evnt":"Listed","ts":"2023-06-05T15:36:00.0000000Z","te":"2023-06-05T15:37:00.0000000Z","op":"EmailSendingLimitExceeded","wl":"SecurityComplianceCenter","tid":"Null","tdc":"1","reid":"Null","rid":"Null","cid":"Null","ad":"User has exceeded their email sending limit and the action defined within the Outbound Spam policy has been applied. -V1.0.0.0","lon":"EmailSendingLimitExceeded","an":"Email sending limit exceeded","sev":"Medium"}
Any specific playbook actions that can help us achieve this within playbooks?
Two options I think apply here:
Input this into the Buffer action (from Tools power up) and then parse it with the built-in JSON filters
Input this into Render Template from TemplateEngine power up and then parse it with Jinja
I've tried using the JSON filters, specifically the "filter" action but never had it working. Any idea how would I do that?
If the action is already produces JSON, you won't need Buffer
https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-the-expression-builder
https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/use-cases-for-expression-builder
The problem is - the output from buffer is a JSON with key "rs" which contains multiple field names within it separated by ";" - my requirement is to fetch a specific field and its value from that "rs" field
Thank you so much this information though!
Oh, I see now. Let me take another pass when I get a chance
TY!
Hello Krunalm,
I am actually facing the same issue, i know it's been a while but have you been able to find a solution?
@krunalm you can use string function + regex to achieve this:
I used buffer just to store this json somewhere so buffer is not required if this is returned by some other action or you get it via some placeholder:
Regex that I've used: (?<=LastMessageRcptCount=)\\d{1,3}
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.