Skip to main content

Hello All,

I want to parse the below mentioned log value in integer format only, but when i map it to additional.fields or 

security_result.about.resource.attribute.labels or about.lables it is taking it as a string, but i need the value as a integer. when i tried with additional.fileds.value.number_value it gave the error source filed must be a string.
 
Please refer this raw log:
"WAFRCEAttackScore": 90,
"WAFSQLiAttackScore": 98,
"WAFXSSAttackScore": 98

Please refer the parser code:
  if [WAFSQLiAttackScore] != "" {
      mutate {
        convert => {
          "WAFSQLiAttackScore" => "string"
        }
        on_error => "already_string"
      }
      mutate {
        replace => {
          "WAFSQLiAttackScore_label.value" => "%{WAFSQLiAttackScore}"
          "WAFSQLiAttackScore_label.key" => "WAFSQLiAttackScore"
        }
        on_error => "err"
      }
      mutate{
        merge => {
          "security_result.about.resource.attribute.labels" => "WAFSQLiAttackScore_label"
        }
        on_error => "err"
      }
    }

@sudeep_singh  Can you try the below? If you want it to be an integer, you need to convert it to an integer. The number_value should store it as a number within WAFSQLiAttachScore_label.value.


if [WAFSQLiAttackScore] != "" {
mutate {
convert => {
"WAFSQLiAttackScore" => "integer"
}
on_error => "already_string"
}
mutate {
replace => {
"WAFSQLiAttackScore_label.value.number_value" => "%{WAFSQLiAttackScore}"
"WAFSQLiAttackScore_label.key" => "WAFSQLiAttackScore"
}
on_error => "err"
}
mutate{
merge => {
"security_result.about.resource.attribute.labels" => "WAFSQLiAttackScore_label"
}
on_error => "err"
}
}

@sudeep_singh  Can you try the below? If you want it to be an integer, you need to convert it to an integer. The number_value should store it as a number within WAFSQLiAttachScore_label.value.


if [WAFSQLiAttackScore] != "" {
mutate {
convert => {
"WAFSQLiAttackScore" => "integer"
}
on_error => "already_string"
}
mutate {
replace => {
"WAFSQLiAttackScore_label.value.number_value" => "%{WAFSQLiAttackScore}"
"WAFSQLiAttackScore_label.key" => "WAFSQLiAttackScore"
}
on_error => "err"
}
mutate{
merge => {
"security_result.about.resource.attribute.labels" => "WAFSQLiAttackScore_label"
}
on_error => "err"
}
}

Hi @James_E ,

The parser code you gave me i have already tried it didn't work, so after some research i found out a differrent method to get it parse. Please find the below parser code for your reference.


    if [WAFSQLiAttackScore] != "" {
      mutate{
        copy => {
          "security_result.risk_score" => "WAFSQLiAttackScore"
        }
      }
      mutate {
        merge => {
          "event.idm.read_only_udm.observer.security_result" => "security_result"
        }
      }
      mutate {
        remove_field => ["security_result"]
      }
    }

 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.