JSON Extractor Depth (Gsuite Report Logs)

I’m receiving logs from Google Gsuite’s Reports API to a standard input port, and using a basic JSON extractor to structure the message into fields.

The logs are formatted as follows:

  "etag": "\"QNNojSN613EjCqWMovWbEZj8Fik/bbgpyQ0cd7d6yspoMvegehSjo0E\"",
  "id": {
    "time": "2018-03-01T14:48:57.943Z",
    "uniqueQualifier": "-9051756310720384105",
    "applicationName": "token",
    "customerId": "C03215ep9"
  "kind": "admin#reports#activity",
  "actor": {
    "profileId": "114315282893486486139",
    "email": "user@domain"
  "events": [
      "parameters": [
          "value": "619872790197-0au3m58c2q0phgqbqqp4ka429ckusggt.apps.googleusercontent.com",
          "name": "client_id"
          "value": "Slack",
          "name": "app_name"
          "multiValue": [
          "name": "scope"
      "name": "authorize"

However, everything under “events” is not extracted as I would expect into separate fields, instead it stays one chunk of text.


{parameters [{value=619872790197-0au3m58c2q0phgqbqqp4ka429ckusggt.apps.googleusercontent.com, name=client_id}, {value=Slack, name=app_name}, {multiValue=[https://www.googleapis.com/auth/plus.me, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/userinfo.email], name=scope}], name=authorize}

Is there something related to the depth of the JSON extractor that causes this?

The JSON extractor currently doesn’t support expanding objects inside of arrays (e. g. anything below "events").

Feel free to create a feature request at https://github.com/Graylog2/graylog2-server/issues.

Thanks. Is there a way as far as you know to create a second extractor on this field that would expand the array?

Not, but if you’re only interested in very specific attributes inside the JSON payload, you could extract them in a pipeline rule with select_jsonpath().

Excellent, thanks much.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.