Trying to understand the statedump of my parser

I am trying to understand the statedump of my parser code.

Raw log:

{

  "records": {

    "hostname": "host"

  },

  "resourceIdentifiers": [

    {

      "tentantid": "a123",

      "type": "access",

      "subnet": [

        {

          "ip": "10.1.1.1"

        },

        {

          "ip": "10.1.1.2"

        }

      ]

    }

  ]

}

Parser:

filter {

  json {

    source => "message"

    array_function => "split_columns"

  }

  for i, data in records.resourceIdentifiers {

    for j, subnet in data.subnet {

        mutate {

        replace => { "target.ip" => "subnet.ip" }

        merge => { "event.idm.read_only_udm.target" => "target.ip" }

        }

    }

    

   }

  statedump {}

}

Statedump:

Internal State (label=):



{

  "@createTimestamp": {

    "nanos": 0,

    "seconds": 1708690606

  },

  "@enableCbnForLoop": true,

  "@onErrorCount": 0,

  "@output": [],

  "@timezone": "",

  "message": "{\\n  \\"records\\": {\\n    \\"hostname\\": \\"host\\"\\n  },\\n  \\"resourceIdentifiers\\": [\\n    {\\n      \\"tentantid\\": \\"a123\\",\\n      \\"type\\": \\"access\\",\\n      \\"subnet\\": [\\n        {\\n          \\"ip\\": \\"10.1.1.1\\"\\n        },\\n        {\\n          \\"ip\\": \\"10.1.1.2\\"\\n        }\\n      ]\\n    }\\n  ]\\n}\\n",

  "records": {

    "hostname": "host"

  },

  "resourceIdentifiers": {

    "0": {

      "subnet": {

        "0": {

          "ip": "10.1.1.1"

        },

        "1": {

          "ip": "10.1.1.2"

        }

      },

      "tentantid": "a123",

      "type": "access"

    }

  }

}

Why is the `event.idm.read_only_udm` field not showing in the statedump.

What am i missing in my understanding here please.

Page 1 / 1

May i please seek some guidance on this.

@Dimarskyi was wondering if you could help.

Thank you.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded