Unable to Parse principal.user.email_addresses No error and No result

Question

Good Day.  I am trying to  parse the following value from a log:
{
  "EMAIL": "PII REMOVED BY STAFF"
}
 Using the following Synatx:

filter {
  mutate {
    replace => {
      "EMAIL" => ""
    }
  }

mutate { replace => {"event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
    }
}

json {
    source => "message"
    array_function => "split_columns"
  }

if [EMAIL] != "" {
  mutate {
    replace => {
      "principal.user.email_addresses" => "%{EMAIL}"
  }
}

mutate {
    merge => {
      "@output" => "event"
    }
  }
}
}
 
But I get no results for the principal.user.email_addresses, I feel like there is something really simple that I am overlooking here.

Digal · Accepted Answer

Hi ,When setting this up, please keep two important things in mind:The correct mapping for the email address is:event.idm.read_only_udm.principal.user.email_addressesBecause "principal.user.email_addresses" is a repeated field, you'll need to implement a merge function to handle it properly.updated code:filter {mutate {replace => {"EMAIL" => ""}}mutate { replace => {"event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"}}json {source => "message"array_function => "split_columns"}if [EMAIL] != "" {mutate {merge => {"event.idm.read_only_udm.principal.user.email_addresses" => "EMAIL"}on_error => "email_addresses_merge_error"}}mutate {merge => {"@output" => "event"}}}

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded