Skip to main content

I have a log source that can group json objects into a single raw log. I've checked out - https://cloud.google.com/chronicle/docs/reference/parser-syntax#generating_output_-_multiple_events

is there a way to dynamically iterate over the index, increment it and output each UDM event? something like -

 

for event in events { mutate { replace => { "index" => 0 } } if [ip] != "" { mutate { merge =>{ "udm_event%{index}.idm.read_only_udm.target.ip" => "ip" } } } mutate { merge => { "@output" => "udm_event%{index}" } } %{index}++ }

 

Additional context is that they come in as json objects within a list. I've got them all split out but would like them to be parsed into separate UDM events as opposed to one UDM event with array fields.

I think I see this is unnecessary, you can cast the udm to udm_event inside the loop, then reset it to null at the beginning.

Wouldn't mind someone confirming that is best practice however? Validated and working on my end.

filter{ for k,v in messageSplit { mutate { replace => { "udm_event" => "" } } # MAP DATA HERE # Create UDM event inside loop mutate { merge => { "@output" => "udm_event" } } } }

 

I think I see this is unnecessary, you can cast the udm to udm_event inside the loop, then reset it to null at the beginning.

Wouldn't mind someone confirming that is best practice however? Validated and working on my end.

filter{ for k,v in messageSplit { mutate { replace => { "udm_event" => "" } } # MAP DATA HERE # Create UDM event inside loop mutate { merge => { "@output" => "udm_event" } } } }

 


This is exactly how you would iterate the logs in an array and then generate the UDM event for each log in the loop.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.