security_result issue

Question

I am attempting to parse the following log by using UDM mapping but I am facing the following error:

generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \"idm\": index 0: recursive rawDataToProto failed: field \"read_only_udm\": index 0: recursive rawDataToProto failed: field \"security_result\": index 0: recursive rawDataToProto failed: field \"action\": failed to make strategy: received non-slice or non-array raw output for repeated field"

This is the log piece:

{

"threatType": "General Malware",

"status": "Blocked"

}

and this is the parsing code:

json {
    source => "message"
    array_function => "split_columns"
    on_error => "error_not_json"
  }  

if [status] == "Allowed" {
    mutate { replace => { "security_result.action" => "ALLOW" } }

  } else if [status] == "Blocked" {
    mutate { replace => { "security_result.action" => "BLOCK" } }
  }

  if [threatType] == "Phishing" {
    mutate { replace => { "security_result.category" => "PHISHING" } }

  } else if [threatType] == "General Malware" {
    mutate { replace => { "security_result.category" => "SOFTWARE_MALICIOUS" } }
  }

  if [security_result] != "" {
    mutate {
      merge => { "event.idm.read_only_udm.security_result" => "security_result" } }
  }

Does anyone have any suggestions for resolving this issue?

ErikaB · Answer

Hi ​@lukeeeenThis is a great question, and we've actually created a detailed resource that specifically addresses this topic in depth. To give you the most comprehensive guidance, I recommend checking out our Adoption Guides, specifically Part 2 as it contains several sections for repeated fields like security_result.Hope this helps!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded