Hello everyone!
I am creating a custom parser for json logs and I need to convert domains_list into principal.user.attribute.labels udm event.
"activity_metadata": { "settings_new_value": { "block_type": "whitelist", "domains_list": [ "test.com", "attack.mitre.org" ] },
I converted block_type already, using the following code
"domains_list_not_set": true,and doesn't parse the data
Do I need to use regex to do that?
Thank you in advance!
Solved! Go to Solution.
I'm not sure if you can write an array directly like that, but I do know you can iterate over arrays. I've solved something similar and modified the code to suit your example. I've left the statedump in so you can make sure each iteration is working correctly
Lemme know if that makes sense, you'll have to just copy paste your variables names over if you're happy
I'm not sure if you can write an array directly like that, but I do know you can iterate over arrays. I've solved something similar and modified the code to suit your example. I've left the statedump in so you can make sure each iteration is working correctly
Lemme know if that makes sense, you'll have to just copy paste your variables names over if you're happy
This code also worked perfectly for me, thank you!🙂
In my case, I just used different labels
Ah, the infamous nested arrays within logstash/chronicle implementations.
Nicely done @ion_ . I can confirm that works in labels:
target.resource.attribute.labels[0].key"domain_list"
target.resource.attribute.labels[0].value"test.com"
target.resource.attribute.labels[1].key"domain_list"
target.resource.attribute.labels[1].value"attack.mitre.org"
This is the output from the custom parser preview.