Skip to main content

Hey all,

We're currently trying to write a parser extension for Google Workplace Activities, as we found that key fields are not being mapped to UDM for some Google Groups changes.

The problem we're facing is that one input payload contains multiple events, each of which becomes a separate UDM event. When we're trying to map new fields for matching events, they're applied to all the output events. 

filter {
json {
source => "message"
array_function => "split_columns"
}

mutate {
replace => { "event.idm.read_only_udm.target.resource.name" => "" }
}

statedump { "label" => "1" }

if [id][applicationName] == "groups_enterprise" {
for index1, item1 in events {
if [item1][name] == "change_acl_permission" {
for index2, parameter in item1.parameters {
if [parameter][name] == "group_email" {
mutate {
replace => {
"event.idm.read_only_udm.target.resource.name" => "%{parameter.value}"
}
}
}
}
}
}
}

mutate {
merge => {
"@output" => "event"
}
}
}

The above code works, but sets `target.resource.name` on all the output UDM events, not just the ones where `name` is equal to `change_acl_permission`.

What do I need to change so that the items in `events` which don't match my conditional won't be altered? I'm new to parser development so let me know if I've missed something obvious. Thanks!

Hi @effytw ,

If you can share me the sample raw log, I can give a try to figure out the solution.

Thanks,
Sudeep Singh

Hi @effytw ,

If you can share me the sample raw log, I can give a try to figure out the solution.

Thanks,
Sudeep Singh


Thank you! 

Here's an example with randomized values.

Our ultimate goal is to get the "group_email", "acl_permission", "old_value_repeated", and "new_value_repeated" of the "acl_change" event mapped to UDM. Today the built-in parser doesn't do anything with them.

{
"id": {
"time": "1741838194532000",
"uniqueQualifier": "-8305762960981225876",
"applicationName": "groups_enterprise",
"customerId": "1234567"
},
"actor": {
"gaiaId": "817238191892",
"email": "user@example.org",
"callerType": "USER",
"orgunitPath": [
"8917288",
"812377213617819"
],
"groupId": [
"812721712719"
]
},
"events": [
{
"type": "moderator_action",
"name": "change_basic_setting",
"parameters": [
{
"name": "group_email",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "group@example.org"
},
{
"name": "basic_setting",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "show_in_groups_directory"
},
{
"name": "old_value",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "false"
},
{
"name": "new_value",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "true"
}
]
},
{
"type": "acl_change",
"name": "change_acl_permission",
"parameters": [
{
"name": "group_email",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "group@example.org"
},
{
"name": "acl_permission",
"label": "LABEL_OPTIONAL",
"type": "TYPE_STRING",
"value": "can_view_topics"
},
{
"name": "old_value_repeated",
"label": "LABEL_REPEATED",
"type": "TYPE_STRING",
"multiStrValue": [
"organization",
"members",
"owners",
"managers"
]
},
{
"name": "new_value_repeated",
"label": "LABEL_REPEATED",
"type": "TYPE_STRING",
"multiStrValue": [
"members",
"owners",
"managers"
]
}
]
}
],
"ownerDomain": "example.org"
}

 

Since this is a native parser and a native log, you should open a support ticket for them to address the miss in the parser. Google owned parsers are supported by Google and technically should be updated to match their own products if you open a support ticket. 

 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.