Skip to main content
Solved

Multi Event Parsing

  • January 22, 2025
  • 2 replies
  • 29 views
samryanturner
Forum|alt.badge.img+7

I have a log source that can group json objects into a single raw log. I've checked out - https://cloud.google.com/chronicle/docs/reference/parser-syntax#generating_output_-_multiple_events

is there a way to dynamically iterate over the index, increment it and output each UDM event? something like -

 

for event in events { mutate { replace => { "index" => 0 } } if [ip] != "" { mutate { merge =>{ "udm_event%{index}.idm.read_only_udm.target.ip" => "ip" } } } mutate { merge => { "@output" => "udm_event%{index}" } } %{index}++ }

 

Additional context is that they come in as json objects within a list. I've got them all split out but would like them to be parsed into separate UDM events as opposed to one UDM event with array fields.

Best answer by samryanturner

I think I see this is unnecessary, you can cast the udm to udm_event inside the loop, then reset it to null at the beginning.

Wouldn't mind someone confirming that is best practice however? Validated and working on my end.

filter{ for k,v in messageSplit { mutate { replace => { "udm_event" => "" } } # MAP DATA HERE # Create UDM event inside loop mutate { merge => { "@output" => "udm_event" } } } }

 

Sam

    2 replies

    samryanturner
    Forum|alt.badge.img+7
    • samryanturnerBronze 5
    • Author
    • Bronze 5
    • Answer
    • January 22, 2025

    I think I see this is unnecessary, you can cast the udm to udm_event inside the loop, then reset it to null at the beginning.

    Wouldn't mind someone confirming that is best practice however? Validated and working on my end.

    filter{ for k,v in messageSplit { mutate { replace => { "udm_event" => "" } } # MAP DATA HERE # Create UDM event inside loop mutate { merge => { "@output" => "udm_event" } } } }

     

    Sam
    rajukg11
    Staff
    Forum|alt.badge.img+6
    • rajukg11
    • Staff
    • January 22, 2025

    I think I see this is unnecessary, you can cast the udm to udm_event inside the loop, then reset it to null at the beginning.

    Wouldn't mind someone confirming that is best practice however? Validated and working on my end.

    filter{ for k,v in messageSplit { mutate { replace => { "udm_event" => "" } } # MAP DATA HERE # Create UDM event inside loop mutate { merge => { "@output" => "udm_event" } } } }

     


    This is exactly how you would iterate the logs in an array and then generate the UDM event for each log in the loop.

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.