JSON Parser | How to properly parse occasional fields

Question

Hi ,This is a question regarding JSON parser for SecOps.Let's suppose this the log :  {   "field1" => "value1"   "field2" => "value2"   "field3" => "value3"} Above is the usual trend. Now, we get a log like this :  {   "field1" => "value1"   "field3" => "value3"} field2 doesn’t exist here, on this the parser will fail and give the error “field2 not found in state data”.  For my parser, i do something like the following : json {        source => "json_data"        array_function => "split_columns"        on_error => "invalid_json"    }//Initiated JSON log.if ![invalid_json] {        json {            source => "json_data"            target => "parsed_json"        }         mutate {            gsub => ["json_data", "^\{", "", "json_data", "\}$", ""]        }          mutate {            add_field => {                "field1" => "%{[parsed_json][field1]}"                "field2" => "%{[parsed_json][field2]}"                "field3" => "%{[parsed_json][field3]}"                    }            convert => {                "download" => "string"                "upload" => "string"            }        }    }//added the field for JSON.Now, let’s say, the field2 is an IP.I can just parse it in principal.ip. Now, the issue here is let’s say, in some logs, there is no field2. This throws an error, what I want is that if field2 is not found or empty, rather than throwing an error, it should just skip over that.

SoarAndy · Answer

Mike knows more than me on this, but here is my code

filter{
    mutate {
        replace => {
            "product_name" => ""
        }
    }
   if [product_name] != "" and [product_name] != "null"{
       mutate {
           replace => {
               "event1.idm.read_only_udm.metadata.product_name" => "%{product_name}"
           }
       }
   }
}

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded