There is something suspicious regarding the network.application_protocol udm field:
Everyt time I try to override the default Apigee X field mapping for this field I receive the following error when I test the parser extension: No UDM events or entities were generated for the current parser configuration. if this is not intended, rectify the code snippet/UDM mappings and then click preview.
According to the statedump, I am confident that the following parser extension logic shoud be working fine:
filter {
mutate {
replace => {
"jsonPayload.headers.x-forwarded-proto" => ""
}
}
json {
source => "message"
array_function => "split_columns"
on_error => "_not_json"
}
if [_not_json] {
drop {
tag => "TAG_MALFORMED_MESSAGE"
}
}
else {
if [jsonPayload][headers][x-forwarded-proto] != "" {
if [jsonPayload][headers][x-forwarded-proto] in [ "http","https", "ssh", "smtp","dns"] {
mutate {
uppercase => ["jsonPayload.headers.x-forwarded-proto"]
}
mutate {
replace => {
"token_network.application_protocol" => "%{jsonPayload.headers.x-forwarded-proto}"
}
on_error => "no_jsonPayload_application_protocol"
}
}
else {
mutate {
replace => {
"token_network.application_protocol" => "UNKNOWN_APPLICATION_PROTOCOL"
}
}
}
}
mutate {
rename => {
"token_network" => "event.idm.read_only_udm.network"
}
}
mutate {
merge => {
"@output" => "event"
}
}
}
}
As I said, in statedump the field is getting actually mapped in @output but after investigations, it is still using default parser field mapping which is causing the error above.
Any known issue regarding this topic ?