SecOps Custom Parser - Error [recursive rawDataToProto failed: field \"security_result\"]

Question

Hi All,I would appreciate your assistance with custom parsing. I need to parse the fields security_result.action and security_result.action_details: ####security_result.action#### if[reason] =~ "Allowed" or     [reason] =~ "ALLOWED" {     mutate     {         replace=>         {          "security_result.action" => "ALLOW"         }         on_error => "action not found"     } }####security_result.action_details####  mutate     {         replace=>         {          "security_result.action_details" => "%{action}"         }         on_error => "action detail found"     }#######################  if [security_result] != ""    {      mutate       {        merge =>         {          "event.idm.read_only_udm.security_result" => "security_result"        }      }    } But it resulted in an error ;-generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \"idm\": index 0: recursive rawDataToProto failed: field \"read_only_udm\": index 0: recursive rawDataToProto failed: field \"security_result\": index 0: recursive rawDataToProto failed: field \"action\": failed to make strategy: received non-slice or non-array raw output for repeated field" I would appreciate your assistance in identifying where my parsing needs to be corrected.

matthewnichols · Answer

​@Lutfi0_0 We just hosted two Parsing webinars in Community in Jan and Dec ‘25. These might help.

SecOps Custom Parser - Error [recursive rawDataToProto failed: field \"security_result\"]

2 replies

Key Changes Made:

Key Changes Made:

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded