I’m receiving logs from Google Gsuite’s Reports API to a standard input port, and using a basic JSON extractor to structure the message into fields.
The logs are formatted as follows:
{
"etag": "\"QNNojSN613EjCqWMovWbEZj8Fik/bbgpyQ0cd7d6yspoMvegehSjo0E\"",
"id": {
"time": "2018-03-01T14:48:57.943Z",
"uniqueQualifier": "-9051756310720384105",
"applicationName": "token",
"customerId": "C03215ep9"
},
"kind": "admin#reports#activity",
"actor": {
"profileId": "114315282893486486139",
"email": "user@domain"
},
"events": [
{
"parameters": [
{
"value": "619872790197-0au3m58c2q0phgqbqqp4ka429ckusggt.apps.googleusercontent.com",
"name": "client_id"
},
{
"value": "Slack",
"name": "app_name"
},
{
"multiValue": [
"https://www.googleapis.com/auth/plus.me",
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/userinfo.email"
],
"name": "scope"
}
],
"name": "authorize"
}
]
}
However, everything under “events” is not extracted as I would expect into separate fields, instead it stays one chunk of text.
events
{parameters [{value=619872790197-0au3m58c2q0phgqbqqp4ka429ckusggt.apps.googleusercontent.com, name=client_id}, {value=Slack, name=app_name}, {multiValue=[https://www.googleapis.com/auth/plus.me, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/userinfo.email], name=scope}], name=authorize}
Is there something related to the depth of the JSON extractor that causes this?