Skip to main content
Question

Parser exstension replace all data in about field

  • October 2, 2025
  • 3 replies
  • 48 views
turri
Forum|alt.badge.img+2

Hello 
I’m working on extending a JSON parser, and I want to insert the value of my variable Hostname into the field about.asset.hostname.

Right now, I can capture the value into a variable, but when I try to add it into the JSON with this code:

 

if [Hostname] != "" { mutate { replace => { "temp.asset.hostname" => "%{Hostname}" } } mutate { merge => { "event.idm.read_only_udm.about" => "temp" } } mutate { replace => { "temp" => "" } } }

the parser replaces the entire about structure, instead of just adding the hostname.

How can I modify this so that only my string is added to about.asset.hostname without overwriting the rest of the JSON structure?

3 replies

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • October 8, 2025

You can add the hostname directly to the nested field using a single mutate filter with the add_field option. This avoids overwriting the parent about object.

The correct approach is to use bracket notation [parent][child] to specify the exact nested path you want to create or update.

Something like:
 

if [Hostname] != "" {
  mutate {
    add_field => {
      "[event][idm][read_only_udm][about][asset][hostname]" => "%{Hostname}"
    }
  }
}

 

AbdElHafez
Staff
Forum|alt.badge.img+12
  • AbdElHafez
  • Staff
  • October 8, 2025

Hi ​@turri , If you are building a parser extension, it is expected that any addition to the about field in the extension will overwrite the existing about field structure generated from the main parser.

If you need to append you will have to use the UI not the code snipper unfortunately, OR you will need to re-generate the structure of the about field as generated from the main parser.

If you could share the parser name and extension code I could take a closer look. I covered this point in the UDM Deep Dive Adoption Guide Part 3.

 

turri
Forum|alt.badge.img+2
  • turri
  • Author
  • New Member
  • October 9, 2025

Hi ​@turri , If you are building a parser extension, it is expected that any addition to the about field in the extension will overwrite the existing about field structure generated from the main parser.

If you need to append you will have to use the UI not the code snipper unfortunately, OR you will need to re-generate the structure of the about field as generated from the main parser.

If you could share the parser name and extension code I could take a closer look. I covered this point in the UDM Deep Dive Adoption Guide Part 3.

 

Hi ​@AbdElHafez , thanks for your response!

I'm currently working on  Windows Event parser. The structure returned by the parser contains numerous about fields, which makes it quite challenging to reconstruct from the extension alone.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.