Trying to understand the statedump of my parser

I am trying to understand the statedump of my parser code.

Raw log:

{
  "records": {
    "hostname": "host"
  },
  "resourceIdentifiers": [
    {
      "tentantid": "a123",
      "type": "access",
      "subnet": [
        {
          "ip": "10.1.1.1"
        },
        {
          "ip": "10.1.1.2"
        }
      ]
    }
  ]
}

Parser:

filter {
  json {
    source => "message"
    array_function => "split_columns"
  }
  for i, data in records.resourceIdentifiers {
    for j, subnet in data.subnet {
        mutate {
        replace => { "target.ip" => "subnet.ip" }
        merge => { "event.idm.read_only_udm.target" => "target.ip" }
        }
    }
    
   }
  statedump {}
}

Statedump:

Internal State (label=):

{
  "@createTimestamp": {
    "nanos": 0,
    "seconds": 1708690606
  },
  "@enableCbnForLoop": true,
  "@onErrorCount": 0,
  "@output": [],
  "@timezone": "",
  "message": "{\\n  \\"records\\": {\\n    \\"hostname\\": \\"host\\"\\n  },\\n  \\"resourceIdentifiers\\": [\\n    {\\n      \\"tentantid\\": \\"a123\\",\\n      \\"type\\": \\"access\\",\\n      \\"subnet\\": [\\n        {\\n          \\"ip\\": \\"10.1.1.1\\"\\n        },\\n        {\\n          \\"ip\\": \\"10.1.1.2\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\\n",
  "records": {
    "hostname": "host"
  },
  "resourceIdentifiers": {
    "0": {
      "subnet": {
        "0": {
          "ip": "10.1.1.1"
        },
        "1": {
          "ip": "10.1.1.2"
        }
      },
      "tentantid": "a123",
      "type": "access"
    }
  }
}

Why is the `event.idm.read_only_udm` field not showing in the statedump.

What am i missing in my understanding here please.

Page 1 / 1

May i please seek some guidance on this.

@Dimarskyi was wondering if you could help.

Thank you.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded