Skip to main content

Hello 
I’m working on extending a JSON parser, and I want to insert the value of my variable Hostname into the field about.asset.hostname.

Right now, I can capture the value into a variable, but when I try to add it into the JSON with this code:

 

if [Hostname] != "" { mutate { replace => { "temp.asset.hostname" => "%{Hostname}" } } mutate { merge => { "event.idm.read_only_udm.about" => "temp" } } mutate { replace => { "temp" => "" } } }

the parser replaces the entire about structure, instead of just adding the hostname.

How can I modify this so that only my string is added to about.asset.hostname without overwriting the rest of the JSON structure?

You can add the hostname directly to the nested field using a single mutate filter with the add_field option. This avoids overwriting the parent about object.

The correct approach is to use bracket notation [parent][child] to specify the exact nested path you want to create or update.

Something like:
 

if [Hostname] != "" {
  mutate {
    add_field => {
      "[event][idm][read_only_udm][about][asset][hostname]" => "%{Hostname}"
    }
  }
}

 

Hi ​@turri , If you are building a parser extension, it is expected that any addition to the about field in the extension will overwrite the existing about field structure generated from the main parser.

If you need to append you will have to use the UI not the code snipper unfortunately, OR you will need to re-generate the structure of the about field as generated from the main parser.

If you could share the parser name and extension code I could take a closer look. I covered this point in the UDM Deep Dive Adoption Guide Part 3.

 

Hi ​@turri , If you are building a parser extension, it is expected that any addition to the about field in the extension will overwrite the existing about field structure generated from the main parser.

If you need to append you will have to use the UI not the code snipper unfortunately, OR you will need to re-generate the structure of the about field as generated from the main parser.

If you could share the parser name and extension code I could take a closer look. I covered this point in the UDM Deep Dive Adoption Guide Part 3.

 

Hi ​@AbdElHafez , thanks for your response!

I'm currently working on  Windows Event parser. The structure returned by the parser contains numerous about fields, which makes it quite challenging to reconstruct from the extension alone.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.