JSON Extractor Depth (Gsuite Report Logs)

nqnzp · March 1, 2018, 3:49pm

I’m receiving logs from Google Gsuite’s Reports API to a standard input port, and using a basic JSON extractor to structure the message into fields.

The logs are formatted as follows:

{
  "etag": "\"QNNojSN613EjCqWMovWbEZj8Fik/bbgpyQ0cd7d6yspoMvegehSjo0E\"",
  "id": {
    "time": "2018-03-01T14:48:57.943Z",
    "uniqueQualifier": "-9051756310720384105",
    "applicationName": "token",
    "customerId": "C03215ep9"
  },
  "kind": "admin#reports#activity",
  "actor": {
    "profileId": "114315282893486486139",
    "email": "user@domain"
  },
  "events": [
    {
      "parameters": [
        {
          "value": "619872790197-0au3m58c2q0phgqbqqp4ka429ckusggt.apps.googleusercontent.com",
          "name": "client_id"
        },
        {
          "value": "Slack",
          "name": "app_name"
        },
        {
          "multiValue": [
            "https://www.googleapis.com/auth/plus.me",
            "https://www.googleapis.com/auth/userinfo.profile",
            "https://www.googleapis.com/auth/userinfo.email"
          ],
          "name": "scope"
        }
      ],
      "name": "authorize"
    }
  ]
}

However, everything under “events” is not extracted as I would expect into separate fields, instead it stays one chunk of text.

events

{parameters [{value=619872790197-0au3m58c2q0phgqbqqp4ka429ckusggt.apps.googleusercontent.com, name=client_id}, {value=Slack, name=app_name}, {multiValue=[https://www.googleapis.com/auth/plus.me, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/userinfo.email], name=scope}], name=authorize}

Is there something related to the depth of the JSON extractor that causes this?

jochen · March 1, 2018, 4:20pm

The JSON extractor currently doesn’t support expanding objects inside of arrays (e. g. anything below "events").

Feel free to create a feature request at https://github.com/Graylog2/graylog2-server/issues.

nqnzp · March 1, 2018, 5:20pm

Thanks. Is there a way as far as you know to create a second extractor on this field that would expand the array?

jochen · March 1, 2018, 6:06pm

Not, but if you’re only interested in very specific attributes inside the JSON payload, you could extract them in a pipeline rule with select_jsonpath().

nqnzp · March 1, 2018, 6:09pm

Excellent, thanks much.

system · March 15, 2018, 6:09pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract nested json issue Graylog Central (peer support)	3	213	February 15, 2024
Can't extract from JSON Graylog Central (peer support) pipeline-rules	5	1743	September 7, 2020
JSON extraction Graylog Central (peer support)	8	12655	March 6, 2018
JSON fields not extracted properly Graylog Central (peer support)	2	357	November 19, 2020
How to extract a JSON from a JSON? Graylog Central (peer support)	3	4798	June 12, 2018

JSON Extractor Depth (Gsuite Report Logs)

Related Topics