Extract nested json issue

rfinney · February 1, 2024, 6:24pm

So graylog doesn’t like nested json and it needs to be flat.

github.com/Graylog2/graylog-plugin-beats

Decoding nested JSON objects

opened 03:39PM - 11 May 16 UTC

feature triaged in progress

When using Packetbeat to send messages directly to Graylog2, the nested JSON obj…ects won't be decoded and would be seen as '[object Object],[object Object]' under search UI. Example input JSON message: ``` { "_index" : "graylog_5", "_type" : "message", "_id" : "572b9193-16df-11e6-8a3b-000c2942c251", "_version" : 1, "found" : true, "_source" : { "packetbeat_bytes_in" : 32, "packetbeat_method" : "QUERY", "packetbeat_type" : "dns", "packetbeat_responsetime" : 140, "packetbeat_query" : "class IN, type A, conn.skype.com", "gl2_remote_ip" : "172.16.220.1", "packetbeat_dns_question_name" : "conn.skype.com", "gl2_remote_port" : 65532, "packetbeat_dns_additionals_count" : 0, "packetbeat_dns_answers_count" : 2, "source" : "abs-MacBook-Pro.local", "type" : "dns", "gl2_source_input" : "572a39d0cdf3830902a406df", "packetbeat_dns_response_code" : "NOERROR", "packetbeat_direction" : "out", "packetbeat_client_ip" : "192.168.0.3", "packetbeat_dns_flags_recursion_allowed" : true, "packetbeat_dns_flags_truncated_response" : false, "packetbeat_dns_question_class" : "IN", "gl2_source_node" : "b6d4add1-2cfc-4fd1-b18d-0ad0478e00a8", "packetbeat_dns_flags_authoritative" : false, "packetbeat_status" : "OK", "packetbeat_client_port" : 60426, "timestamp" : "2016-05-10 18:45:16.558", "packetbeat_ip" : "192.168.0.1", "packetbeat_dns_op_code" : "QUERY", "packetbeat_bytes_out" : 83, "packetbeat_dns_flags_recursion_desired" : true, "packetbeat_transport" : "udp", "packetbeat_dns_authorities_count" : 0, "packetbeat_resource" : "conn.skype.com", "streams" : [ "572ae5c9cdf3830902a4bb7f" ], "packetbeat_dns_answers" : [ { "class" : "IN", "data" : "conn.skype.akadns.net", "name" : "conn.skype.com", "ttl" : 464, "type" : "CNAME" }, { "class" : "IN", "data" : "91.190.216.81", "name" : "conn.skype.akadns.net", "ttl" : 300, "type" : "A" } ], "message" : "-", "packetbeat_dns_question_type" : "A", "packetbeat_count" : 1, "name" : "MacBook-Pro.local", "packetbeat_dns_id" : 62527, "facility" : "packetbeat", "packetbeat_port" : 53 } } ``` packetbeat_dns_answers structure won't be decoded in this example.

github.com/Graylog2/graylog2-server

Fix problems rendering object field values

Graylog2:master ← Graylog2:beats-issue-3

opened 03:21PM - 21 Nov 16 UTC

edmundoa

+4 -4

Some messages may contain objects as field values and we need to properly conver…t them into strings that can be rendered by react. This commit changes the way we convert values into strings, relying on `JSON.stringify()` to do it. Refs Graylog2/graylog-plugin-beats#3. It may also be related to #2946. **Update**: As @joschi pointed out, this only fixes part of the problem in Graylog2/graylog-plugin-beats#3: being able to display messages with a hierarchical structure. The change does not affect how Graylog internally handles those messages.

Code from @jivepig found here appears to have fixed the issue:

rule "Random User Data Flatten Json Rule"
// From sample data : https://randomuser.me/api/
// Api input path: *
when
    true
then
    let sJson = to_string($message.message);
    let sJson = regex_replace(
        pattern: "^\\[|\\]$",
        value: sJson,
        replacement: ""
        );
    let rsJson = flatten_json(to_string(sJson), "flatten");
    set_fields(to_map(rsJson));
    //remove_field("result");
    //set_field("message", "parsed user data");
end

Topic		Replies	Views
Parsing nested JSON message Graylog Central (peer support)	1	1122	October 16, 2019
How to extract Json field Graylog Central (peer support)	3	4092	March 14, 2019
JSON fields not extracted properly Graylog Central (peer support)	2	364	November 19, 2020
Can't extract from JSON Graylog Central (peer support) pipeline-rules	5	1757	September 7, 2020
JSON extractor not working Graylog Central (peer support) pipeline-rules	10	5693	August 22, 2020

Extract nested json issue

Related Topics