Skip to main content

I have the following parser code -

# Security Result if [severity] == "INFO" { mutate { replace => { "security_result_action" => "ALLOW" "security_result_description" => "SUCCESS" } } }

 However when previewing it's output I see the following error - 

generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \\"idm\\": index 0: recursive rawDataToProto failed: field \\"read_only_udm\\": index 0: recursive rawDataToProto failed: field \\"security_result\\": index 0: recursive rawDataToProto failed: panic encountered: non-string given for backstory.SecurityResult.description: []interface {} []interface {}{\\"SUCCESS\\"}"

Why is this not being interpreted as a string?

Hi, 

The UDM field security_result.description takes a string as a parameter whereas security_result.action takes a constant value (predefined values). In the case above, you need to pass "SUCCESS" in a variable. Something similar to this:

 

mutate {
  replace => {
    "security_result_description" => "%{otherTokenValue}"
  }
}

Where "otherTokenValue" stores "SUCCESS"  

Hi, 

The UDM field security_result.description takes a string as a parameter whereas security_result.action takes a constant value (predefined values). In the case above, you need to pass "SUCCESS" in a variable. Something similar to this:

 

mutate {
  replace => {
    "security_result_description" => "%{otherTokenValue}"
  }
}

Where "otherTokenValue" stores "SUCCESS"  


Okay I have the following which returns the same error -

# Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_result_action" => "ALLOW" "security_result_description" => "%{description}" } } }

Can you please post where your security_results_description is changed to security_result.decscription? 

Your replace statement should be fine, replace would set both of those variables to a string regardless of if you use a variable or not. The error likely lies somewhere after this, can you share the rest of your parser code? 

Your replace statement should be fine, replace would set both of those variables to a string regardless of if you use a variable or not. The error likely lies somewhere after this, can you share the rest of your parser code? 


Sure, here is the full block for SecurityResult -

# Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_result_action" => "ALLOW" "security_result_description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_result_action" => "BLOCK" "security_result_description" => "%{jsonPayload.status.message}" } } } mutate { merge => { "security_result.action" => "security_result_action" "security_result.description" => "security_result_description" } } # Merge final security result mutate { merge => { "udm_event.idm.read_only_udm.security_result" => "security_result" } }

Sure, here is the full block for SecurityResult -

# Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_result_action" => "ALLOW" "security_result_description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_result_action" => "BLOCK" "security_result_description" => "%{jsonPayload.status.message}" } } } mutate { merge => { "security_result.action" => "security_result_action" "security_result.description" => "security_result_description" } } # Merge final security result mutate { merge => { "udm_event.idm.read_only_udm.security_result" => "security_result" } }

Based on what you have shared here, my guess would be that the contents  of jsonPayload.status.message is the problem, if you insert a statedump {} statement on line 30 and run the parser again, can you share the output of the statedump? 

 

filter { mutate { replace => { "event_type" => "GENERIC_EVENT" "severity" => "INFO" } } # Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_action" => "ALLOW" "security_result.description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_action" => "BLOCK" "security_result.description" => "%{jsonPayload.status.message}" } } } # Merge Action if [security_action] != "" { mutate { merge => { "security_result.action" => "security_action" } } } # Merge Security Results if [security_result] != "" { mutate { merge => { "event.idm.read_only_udm.security_result" => "security_result" } } } # Default Event Data mutate { replace => { "event.idm.read_only_udm.metadata.event_type" => "%{event_type}" } } # Generate Event mutate { merge => { "@output" => "event" } } }

 

 

 

filter { mutate { replace => { "event_type" => "GENERIC_EVENT" "severity" => "INFO" } } # Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_action" => "ALLOW" "security_result.description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_action" => "BLOCK" "security_result.description" => "%{jsonPayload.status.message}" } } } # Merge Action if [security_action] != "" { mutate { merge => { "security_result.action" => "security_action" } } } # Merge Security Results if [security_result] != "" { mutate { merge => { "event.idm.read_only_udm.security_result" => "security_result" } } } # Default Event Data mutate { replace => { "event.idm.read_only_udm.metadata.event_type" => "%{event_type}" } } # Generate Event mutate { merge => { "@output" => "event" } } }

 

 


Are you still getting the same error? Is "jsonPayload.status.message" a string or numeric? If it's not a string, then you'll need to convert it first.

 

filter { mutate { replace => { "event_type" => "GENERIC_EVENT" "severity" => "INFO" } } # Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_action" => "ALLOW" "security_result.description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_action" => "BLOCK" "security_result.description" => "%{jsonPayload.status.message}" } } } # Merge Action if [security_action] != "" { mutate { merge => { "security_result.action" => "security_action" } } } # Merge Security Results if [security_result] != "" { mutate { merge => { "event.idm.read_only_udm.security_result" => "security_result" } } } # Default Event Data mutate { replace => { "event.idm.read_only_udm.metadata.event_type" => "%{event_type}" } } # Generate Event mutate { merge => { "@output" => "event" } } }

 

 


Thank you, that's working now.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.