Skip to main content

Good Day.  I am trying to  parse the following value from a log:

{
  "EMAIL": "PII REMOVED BY STAFF"
}

 Using the following Synatx:

filter {
  mutate {
    replace => {
      "EMAIL" => ""
    }
  }

mutate { replace => {"event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
    }
}

  json {
    source => "message"
    array_function => "split_columns"
  }

if [EMAIL] != "" {
  mutate {
    replace => {
      "principal.user.email_addresses" => "%{EMAIL}"
  }
}

  mutate {
    merge => {
      "@output" => "event"
    }
  }
}
}
 
But I get no results for the principal.user.email_addresses, I feel like there is something really simple that I am overlooking here.

 

 

Hi ,

When setting this up, please keep two important things in mind:

  1. The correct mapping for the email address is:
    event.idm.read_only_udm.principal.user.email_addresses
  2. Because "principal.user.email_addresses" is a repeated field, you'll need to implement a merge function to handle it properly.

updated code:
filter {
mutate {
replace => {
"EMAIL" => ""
}
}

mutate { replace => {"event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
}
}

json {
source => "message"
array_function => "split_columns"
}

if [EMAIL] != "" {
mutate {
merge => {
"event.idm.read_only_udm.principal.user.email_addresses" => "EMAIL"
}
on_error => "email_addresses_merge_error"
}
}


mutate {
merge => {
"@output" => "event"
}
}
}

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.