Skip to main content

Hi,

While validating a parser I see an error with message

generic::unknown: invalid event 0: LOG_PARSING_GENERATED_INVALID_EVENT: "generic::invalid_argument: *events_go_proto.Event_Alert: alert event device 1 is invalid: device is empty"

The error message is seen for some of the logs due to the parser block below

if ![missing_tenant] and "%{agent.labels.tenant}" != "" and "%{agent.labels.tenant}" != "-" {
mutate {
replace => {
"event.idm.read_only_udm.principal.namespace" => "%{agent.labels.tenant}"
}
on_error => "failed_replace.tenantLabel"
}
}

The parser works and the namespace is seen when looking at the statedump. However it shows the error above at UDM output and the validation fails. Just commenting out the code block above resolves the issue. Any pointers on what could be the issue and how to resolve it?

Screenshots attached.

When I tried to identify the root cause, seems like the parser is only failing for logs that parse metadata.event_type: GENERIC_EVENT. This is the only common thing I can see it failing for. I have had properly implemented the requisites mentioned here. It says the GENERIC_EVENT doesn't have any field dependencies. Also it doesn't throw any error until custom namespace is passed.

Any help here? @cmmartin_google  @jstoner 

For the conditional statements I would use the angled bracket syntax, as the %{format} is usually used to assign a value rather than perform a conditional operation:


 


if ![missing_tenant] and [agent][labels][tenant] != "" and [agent][labels][tenant] != "-" {
mutate {
replace => {
"event.idm.read_only_udm.principal.namespace" => "%{agent.labels.tenant}"
}
on_error => "failed_replace.tenantLabel"
}
}

 For labels you need to define a key and a value first before performing a merge operation:


mutate {
replace => {
"additional_myLabel.key" => "myKey"
"additional_myLabel.value" => "%{myValue}"
}
}
mutate {
merge => {
"event.idm.read_only_udm.target.resource.attribute.labels" => "additional_myLabel"
}
}

 I think what is happening is both the above statements are failing and its outputting an empty event.


You can also do something like define event at the top of the extension, then check the value is not empty before an output:


if [event]!= "" {
mutate {
merge => {
"@output" => "event"
}
}
}

 

Hi @cmmartin_google ,

On the first note, I tried to use the angled bracket syntax, but since I am directly referencing the json data in the message if the key is not present it throws an error saying state not available, this is where I chose to go with the %{} for key.

On the second, as per the screenshot, I can confirm the event is indeed getting assigned to the events, and inside the block below, I only have assigned the principal.namespace and nothing else, commenting out the assignment of namespace stops the error

 

if ![missing_tenant] and "%{agent.labels.tenant}" != "" and "%{agent.labels.tenant}" != "-" {
mutate {
replace => {
"event.idm.read_only_udm.principal.namespace" => "%{agent.labels.tenant}"
}
on_error => "failed_replace.tenantLabel"
}
}

 

I will have a look into the merging after verification if [event] is not empty and get back to you on 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.