Hello
1. Describe your incident:
I am processing date from the o365 api. It’s all straightforward enough, however for some reason occasionally O365 stuffs extra data fields into a singe field called o365_extended_properties. The actual content varies - often the field is not there, but when it is it can contain different fields. Two examples:
[{“Name”:“ResultStatusDetail”,“Value”:“Success”},{“Name”:“UserAgent”,“Value”:“Windows-AzureAD-Authentication-Provider/1.0”},{“Name”:“UserAuthenticationMethod”,“Value”:“262144”},{“Name”:“RequestType”,“Value”:“OAuth2:Token”}]
[{“Name”:“ResultStatusDetail”,“Value”:“Success”},{“Name”:“RequestType”,“Value”:“OAuth2:Token”}]
They are always in the format Name:<name_of_field>, Value:<field_value>
What I’d like is to create fields in the message with the corresponding name and value. Is it possible to write a generic rule to do this without specifying field names for set_field (but also avoiding have fields name ‘Name’ and “value”)?
This is Graylog 5.1
thanks
Rob