Hi,
How do I parse out “data_user_agent” in the below the nested JSON ? The log is Syslog with a JSON object:
<190>Dec 9 19:55:40 test-local-primary test_audit:
{
"actor_ip": "1.1.1.1,
"action": "login",
"created_at": [removed by moderator] ,
"data": {
"user_agent": "Mozilla/5.0 (Macintosh Intel Mac OS X 10.15 rv:145.0) Gecko/20100101 Firefox/145.0",
"method": "POST",
"@timestamp": [removed by moderator] ,
"category_type": "Authentication",
}
}
My parser is as follows but it doesn’t pick up anything for the “data_user_agent” field.
filter {
mutate {
replace => {
"data_user_agent" => ""
}
}
mutate {replace => {"event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"}}
if [data_user_agent] != "" {
mutate {
replace => {
"data_user_agent.key" => "data_user_agent"
"data_user_agent.value.string_value" => "%{data_user_agent}"
}
merge => {
"event.idm.read_only_udm.additional.fields" => "data_user_agent"
}
}
}
if [data_user_agent] != "" {
mutate {
replace => {
"event.idm.read_only_udm.network.http.user_agent" => "%{data_user_agent}"
}
}
}
statedump {}
mutate {
merge => {
"@output" => "event"
}
}
}
STATEDUMP:
Internal State (label=):
{
"@collectionTimestamp": {
"nanos": 0,
"seconds": [removed by moderator]
},
"@createTimestamp": {
"nanos": 0,
"seconds": [removed by moderator]
},
"@enableCbnForLoop": true,
"@onErrorCount": 0,
"@output": [],
"@timestamp": {
"nanos": 0,
"seconds": [removed by moderator]
},
"@timezone": "",
"data_user_agent": "",
"event": {
"idm": {
"read_only_udm": {
"metadata": {
"event_type": "GENERIC_EVENT"
}
}
}
},
"hostname": "test-local-primary",
"message": "\u003c190\u003eDec 9 19:55:40 test-local-primary test_audit: \n{\n \"actor_ip\": \"1.1.1.1\",\n \"action\": \"login\",\n \"created_at\": [removed by moderator] ,\n \"data\": {\n \"user_agent\": \"Mozilla/5.0 (Macintosh Intel Mac OS X 10.15 rv:145.0) Gecko/20100101 Firefox/145.0\",\n \"method\": \"POST\",\n \"category_type\": \"Authentication\"\n }\n}",
"time": "Dec 9 19:55:40"
}