This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

parser extensions

Posted on 01-29-2024 02:11 AM
mountaincode2
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I am looking at the logstash filters in the following parser extension documentation:

 
I have a couple of queries:
1. what does the `array_function` do over here please?
json {
        source => "message"
        array_function => "split_columns"
    }

2. can you please explain what does `"@output" => "event" do? - what does it mean to say bind the udm fields to @output key.

mutate {
      merge => {
          "@output" => "event"
      }
    }

 

Solved Solved
1 2 127
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
reapzor
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi there!

As said in the other post: the array_function defines how it needs to process a json array see this page for an example: https://cloud.google.com/chronicle/docs/reference/parser-syntax#manipulating_json_arrays 

You normally build up a parser by

1. splitting up the raw message into parameters that you can use

2. add those parameters to UDM fields (typically set to an "event" variable, but you could name it whatever you want"

3. merge the event with the already existing output 

The final step is the one that is done in the mutate/merge statement.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM 
array_function => "split_columns"

// this is used to split nested arrays into column. e.g. if your src.ip field is an array and having multiple ips. It will split into columns that you'll be able to access it like src.ip.0, src.ip.1 ... src.ip.n

Below configuration is needed to merge all the etl you are doing in a parser to an event. PS- event is a reserved keyword

mutate {
      merge => {
          "@output" => "event"
      }
    }

deeshu_0-1706529409006.png

 

Jump to Solution

Posted on --/--/---- --:-- AM
reapzor
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi there!

As said in the other post: the array_function defines how it needs to process a json array see this page for an example: https://cloud.google.com/chronicle/docs/reference/parser-syntax#manipulating_json_arrays 

You normally build up a parser by

1. splitting up the raw message into parameters that you can use

2. add those parameters to UDM fields (typically set to an "event" variable, but you could name it whatever you want"

3. merge the event with the already existing output 

The final step is the one that is done in the mutate/merge statement.

Jump to Solution
Top Solution Authors
View all