Extracting JSON of varying content from a o365_extended_properties

Hello

1. Describe your incident:

I am processing date from the o365 api. It’s all straightforward enough, however for some reason occasionally O365 stuffs extra data fields into a singe field called o365_extended_properties. The actual content varies - often the field is not there, but when it is it can contain different fields. Two examples:

[{“Name”:“ResultStatusDetail”,“Value”:“Success”},{“Name”:“UserAgent”,“Value”:“Windows-AzureAD-Authentication-Provider/1.0”},{“Name”:“UserAuthenticationMethod”,“Value”:“262144”},{“Name”:“RequestType”,“Value”:“OAuth2:Token”}]

[{“Name”:“ResultStatusDetail”,“Value”:“Success”},{“Name”:“RequestType”,“Value”:“OAuth2:Token”}]

They are always in the format Name:<name_of_field>, Value:<field_value>

What I’d like is to create fields in the message with the corresponding name and value. Is it possible to write a generic rule to do this without specifying field names for set_field (but also avoiding have fields name ‘Name’ and “value”)?

This is Graylog 5.1

thanks

Rob

I would use some regex replace to transform those into key value pairs, basically taking out all the name and value stuff and leaving the actual name and actual value with something like = between them. Then run them through key value function, and then finally pass that to set_fields.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.