Skip to main content
Question

Parser security_result.action_details empty

  • November 24, 2025
  • 1 reply
  • 20 views
_RT_
Forum|alt.badge.img+3

Hi,

I am developing a custom parser for a email-security product with JSON logs.

Everything is working as intended, except for information I want to include under “security_result.action_details” UDM field, which does not get populated whatever I try.

My code is as follows:

if [event][scan][indicators] != "" {
  for indicator in [event][scan][indicators] {
    mutate {
      replace => {
        "action_details" => "indicator"
      }
    }

    mutate {
      merge => {
        "security_result.action_details" => "action_details"
      }
    }

    mutate {
      merge => {
        "udm_event.idm.read_only_udm.security_result" => "security_result"
      }
    }
  }
}

With the json log having information in this format (redacted all other information about the email and left only the structure and relevant field):
 

{
    "event": {
        "scan": {
            "indicators": [
                "MachineLearningGood",
                "SuspiciousUri"
            ],
            "aiClassifier": "neutral"
        },
        "reject": null,
        "userReleasable": true,
    }
}

All other information I extract such as date, email addresses, IP, hostname are being correctly assiegned to UDM fields, but in this case the UDM “security_result.action_details” remains completely empty. I did not see any necessary precondition in the documentation, my events have no security_event.about and the event_type is EMAIL_UNCATEGORIZED.

Any idea what could be the issue?
Thanks

 

1 reply

JeremyLand
Staff
Forum|alt.badge.img+7
  • JeremyLand
  • Staff
  • December 3, 2025

I suspect this block is what is giving you trouble:
 

    mutate {
      merge => {
        "security_result.action_details" => "action_details"
      }
    }

That `merge` is trying to treat ‘security_result.action_details’ as a repeated field/array with a single value instead of just a string.  `[“SuspiciousURI”]` vs `”SuspiciousURI”`

Based on the UDM field reference, security_result.action_details is a string and is not repeated. So to use that field  you would need to populate it with a replace instead of a merge.

With your example you could accomplish that by doing a replace with the value of indicator right on to security_result.action_details  by modifying line 5 from your example with:
 

"security_result.action_details" => "%{indicator}"

Then removing lines 9-13 so the merge on 17 adds this security_result to "udm_event.idm.read_only_udm.security_result" (which is a repeated object) on your base event.

This should give you an event with 
event.security_result[0].action_details = "MachineLearningGood"
event.security_result[1].action_details = "SuspiciousURI"
 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.