Skip to main content
Answer

SecOps Parser - error failed: field \"severity\": index 0: received non-string raw output for enum field"

  • November 4, 2025
  • 2 replies
  • 45 views
JSpoorSonic
Forum|alt.badge.img+9

With below code, and where by "linktargetport": "389(ldap)"

 

        if ![no_linktargetport_found] {
          mutate {
            replace => {"targetport" => "%{linktargetport}"}
            gsub => ["targetport", "[^0-9]", ""]
          }
          mutate {
            convert => {"targetport" => "integer"}
          }
          mutate {
            convert => {"targetport" => "string"}
          }
          mutate {
            replace => {
                "cse_event.idm.read_only_udm.target.port" => "%{targetport}"
            }
          }
        }
      }

 

this errors out with  (the two converts was a suggestion from gemini...)

 

LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \"idm\": index 0: recursive rawDataToProto failed: field \"read_only_udm\": index 0: recursive rawDataToProto failed: field \"target\": index 0: recursive rawDataToProto failed: panic encountered: non-signed-integral type given for backstory.Noun.port: string \"389\""

 

With only the first convert, so only converting to integer

LOG_PARSING_CBN_ERROR: "generic::invalid_argument: pipeline failed: filter mutate (43) failed: replace failure: field \"cse_event.idm.read_only_udm.target.port\": source field \"targetport\": source field value must be a string"

Best answer by mikewilusz

I reference a similar error in my parser creation blog post. You’re likely running in to a similar issue. Here’s the snippet from my blog that I think will help.

 

 

https://medium.com/@cloudymike/parsing-netflow-data-in-google-secops-2f1b0f58ea49

 

Try that out and if you’re still let me know and I’ll take a further look.

 

-mike

2 replies

mikewilusz
Staff
Forum|alt.badge.img+10
  • mikewilusz
  • Staff
  • Answer
  • November 5, 2025

I reference a similar error in my parser creation blog post. You’re likely running in to a similar issue. Here’s the snippet from my blog that I think will help.

 

 

https://medium.com/@cloudymike/parsing-netflow-data-in-google-secops-2f1b0f58ea49

 

Try that out and if you’re still let me know and I’ll take a further look.

 

-mike

kentphelps
JSpoorSonic
JSpoorSonic
Forum|alt.badge.img+9
  • JSpoorSonicBronze 3
  • Author
  • Bronze 3
  • November 5, 2025

I reference a similar error in my parser creation blog post. You’re likely running in to a similar issue. Here’s the snippet from my blog that I think will help.

 

 

https://medium.com/@cloudymike/parsing-netflow-data-in-google-secops-2f1b0f58ea49

 

Try that out and if you’re still let me know and I’ll take a further look.

 

-mike

that did the trick!!! You sir are a STAR!

mikewilusz
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.