Skip to main content

I have a log source that can group json objects into a single raw log. I've checked out - https://cloud.google.com/chronicle/docs/reference/parser-syntax#generating_output_-_multiple_events

is there a way to dynamically iterate over the index, increment it and output each UDM event? something like -

 

for event in events {

mutate {
replace => {
"index" => 0
}
}

if [ip] != "" {
mutate {
merge =>{
"udm_event%{index}.idm.read_only_udm.target.ip" => "ip"
}
}
}

mutate {
merge => {
"@output" => "udm_event%{index}"
}
}
%{index}++
}

 

Additional context is that they come in as json objects within a list. I've got them all split out but would like them to be parsed into separate UDM events as opposed to one UDM event with array fields.

I think I see this is unnecessary, you can cast the udm to udm_event inside the loop, then reset it to null at the beginning.

Wouldn't mind someone confirming that is best practice however? Validated and working on my end.

filter{
for k,v in messageSplit {

mutate {
replace => {
"udm_event" => ""
}
}


# MAP DATA HERE

# Create UDM event inside loop
mutate {
merge => {
"@output" => "udm_event"
}
}
}
}

 

I think I see this is unnecessary, you can cast the udm to udm_event inside the loop, then reset it to null at the beginning.

Wouldn't mind someone confirming that is best practice however? Validated and working on my end.

filter{
for k,v in messageSplit {

mutate {
replace => {
"udm_event" => ""
}
}


# MAP DATA HERE

# Create UDM event inside loop
mutate {
merge => {
"@output" => "udm_event"
}
}
}
}

 


This is exactly how you would iterate the logs in an array and then generate the UDM event for each log in the loop.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.