merge in parser extension overwrites the value instead of merging

Forum|Forum|1 year ago
January 18, 2024
5 replies
40 views

S

shahhe
New Member

I am writing parser extension and want to update security_result.description field.

if [@computed][message] != "" {

mutate {

replace => {

"security_result.description" => "%{@computed.message}"

}

mutate {

merge => {

"event.idm.read_only_udm.security_result" => "security_result"

}

mutate {

merge => {

"@output" => "event"

}

end result is that all other security_results fields are deleted, I see description field only.

How can I add description field?

+1

vgera
Bronze 1
Forum|Forum|1 year ago
April 29, 2024

I also have the same question, can someone please provide an answer?

Like

V

+1

verma7463
New Member
Forum|Forum|1 year ago
April 29, 2024

Hello,

I am also facing issue, can someone please update how can we handle this?

Like

C

+1

chronicle_grok
New Member
Forum|Forum|1 year ago
April 29, 2024

what other security_results fields are there in other parts of the parser?
usually when I use security_result.* I assign a number for every single fields

Like

V

+1

verma7463
New Member
Forum|Forum|1 year ago
April 30, 2024

what other security_results fields are there in other parts of the parser?
usually when I use security_result.* I assign a number for every single fields

Other security_result fields are like security_result.category, securit_result.severity, securit_result.threat_name, securit_result.threat_status, etc

Like

+6

citreno
Bronze 1
Forum|Forum|1 year ago
April 30, 2024

Bug/Known issue afaik, arrays get overriden and since security_result is an array/repeated field we just avoid putting anything in it via extension. Unfortunately this field is not really workable through parser extensions, we just avoid it. You can use a different field and file a feature request.

V

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded