Parser Extension Error

Question

What is the issue with below extension code:  filter {
     json {
        source => "message"
        array_function => "split_columns"
    }

if [debugContext][debugData][proxyType] != "" {
        mutate {
            replace => {
                "proxyType.key" = "proxyType"
                "proxyType.value" = "%{debugContext.debugData.proxyType}"
            }

copy => {
                "event1.idm.read_only_udm.security_result.detection_fields" => "proxyType"

}
        }
    }

mutate {
            merge => {
                "@output" => "event1"

}
        }
}   Error: generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \"idm\": index 0: recursive rawDataToProto failed: field \"read_only_udm\": index 0: recursive rawDataToProto failed: field \"security_result\": failed to make strategy: received non-slice or non-array raw output for repeated field"Objective: Trying to extract debugContext.debugData.proxyType  to UDM under security_result.detection_fields

DanHansen · Accepted Answer

Several things, proxyType.key and proxyType.value should be proxyType.labels.key and proxyType.labels.value because you are creating a new branch preceding labels.key;  copy should be merge as security_result is now a repeated string after adhering to proxyType. Also you should add another mutate before copy that should now be merge just to make sure everything stays in order.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded