JSON Extractor Depth (Gsuite Report Logs)

(nqnzp) #1

I’m receiving logs from Google Gsuite’s Reports API to a standard input port, and using a basic JSON extractor to structure the message into fields.

The logs are formatted as follows:

  "etag": "\"QNNojSN613EjCqWMovWbEZj8Fik/bbgpyQ0cd7d6yspoMvegehSjo0E\"",
  "id": {
    "time": "2018-03-01T14:48:57.943Z",
    "uniqueQualifier": "-9051756310720384105",
    "applicationName": "token",
    "customerId": "C03215ep9"
  "kind": "admin#reports#activity",
  "actor": {
    "profileId": "114315282893486486139",
    "email": "user@domain"
  "events": [
      "parameters": [
          "value": "619872790197-0au3m58c2q0phgqbqqp4ka429ckusggt.apps.googleusercontent.com",
          "name": "client_id"
          "value": "Slack",
          "name": "app_name"
          "multiValue": [
          "name": "scope"
      "name": "authorize"

However, everything under “events” is not extracted as I would expect into separate fields, instead it stays one chunk of text.


{parameters [{value=619872790197-0au3m58c2q0phgqbqqp4ka429ckusggt.apps.googleusercontent.com, name=client_id}, {value=Slack, name=app_name}, {multiValue=[https://www.googleapis.com/auth/plus.me, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/userinfo.email], name=scope}], name=authorize}

Is there something related to the depth of the JSON extractor that causes this?

(Jochen) #2

The JSON extractor currently doesn’t support expanding objects inside of arrays (e. g. anything below "events").

Feel free to create a feature request at https://github.com/Graylog2/graylog2-server/issues.

(nqnzp) #3

Thanks. Is there a way as far as you know to create a second extractor on this field that would expand the array?

(Jochen) #4

Not, but if you’re only interested in very specific attributes inside the JSON payload, you could extract them in a pipeline rule with select_jsonpath().

(nqnzp) #5

Excellent, thanks much.

(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.