JSON Extractor Issue

Following on from my previous question (15291), our JSON extractor is now running, but there is another issue.

We are extracting from Zeek data colelcted form Security Onion 16.04, and the format is JSON.
The http data has an option field, status_code, in Zeek, which mostly contains a number, but sometimes is missing. The data is being stored as compound(long,string) , even after forcing the index to rotate.
I would be OK with forcing the status_code to 0 if it was missing, but there seems to be no way to configure the JSON extractor to do that.

Is there another way that would work?

don’t put another format data in the same field.
eg. check the data, and the format before you put in field X.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.