Not Found in State Data

I'm building a custom parser and below is a snippet for which I'm facing a issue. This particular field is not always present in all events. It's gives values as False or will not be available altogether.

JSON:
"body

{

custom

{

security

{

blocked = "FALSE"

}}"

Below expression is not only extracting the value but gives the error message when validating the parser - generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: pipeline failed: filter conditional (9) failed: failed to evaluate expression: generic::invalid_argument: \\"body.custom.security.blocked\\" not found in state data"

"if [body][custom][security][blocked] =~ "FALSE" {
mutate {
    merge => {
   "event.idm.read_only_udm.security_result" => "ALLOW"
    }
}
}"

Adding on error statement also doesn't make the trick.

Page 1 / 1

You'll want to initialize a variable, named after the JSON field, at the top of the parser. You'll set this to be an empty string, and then after you JSON extract it will populate if the field exists. With this, you can then test whether the string is empty or not

# initialize the token

mutate {

  replace => {

    "body.custom.security.blocked" => ""

    }

}



# extract json

json {

  source => "message"

}



# check the string to see if it's empty

if [body][custom][security][blocked] != ""

{

  # your parsing logic

}

-mike

Hi @mikewilusz , I have already initialized the variable already in the parser. We have few events without this field name itself and during validation the parser build is failed with those events as examples.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded