Json Lists Help

reconluke · July 22, 2020, 4:05pm

I have a field that contains valid json wrapped in brackets, example: [{“Href”:“https[:]//protection[.]office[.]com/viewalerts?id=randomchars”,“Category”:null,“Label”:“alert”,“Type”:“webLink”}]

What is the best way to get this json parsed? Should I trim, do a replace [{ with { and }] with }, something else?

Any help would be appreciated.

Thanks,

shoothub · July 23, 2020, 10:41am

You can use for example this snippet. If you want to prefix fields from json replace “prefix_” in function set_field and uncomment line and comment previous one.

rule "extract-json"
when
    has_field("json_field")
then
    let extractjson = regex(pattern: "\\[(\\{.*\\})\\]", value: to_string($message.json_field));
    let json = parse_json(to_string(extractjson["0"]));
    let map = to_map(json);
    set_fields(map);
    // Optionally add prefix "prefix_" to json fields
    //set_fields(map, "prefix_");
    
    // Optionally replace [:.] in URL in field prefix_Href
    //let fix_url = regex_replace("\\[(:|.)\\]", to_string($message.prefix_Href), "$1");
    //set_field("prefix_Href", fix_url);
    
    // Optionally remove field
    //remove_field("json_field");
    
    // Optionally rename one of the field
    //rename_field("prefix_Href", "URL");
end

reconluke · July 23, 2020, 7:47pm

Hey thanks for providing that snippet. I tried to use it and unfortunately it did not parse out the fields from that json list. Here is the updated snippet with the fields added in:

rule "normalize_entities"
when
    has_field("Entities")
then
    let extractjson = regex(pattern: "\\[(\\{.*\\})\\]", value: to_string($message.Entities));
    let json = parse_json(to_string(extractjson["0"]));
    let map = to_map(json);
    set_fields(map);
    // Optionally add prefix "prefix_" to json fields
    set_fields(map, "entities_");

end

I’m not sure what I am missing here, but this looks correct based on the snippet you provided. I also ran the json list thru a regex checker using the regex you provided and seems like it should have worked. Any thoughts?

Thanks,

shoothub · July 24, 2020, 7:43am

Please don’t use set_fields several times:

If you want to create field names based on json, use line: set_fields(map);
If you want to add prefix to field names, use line: set_fields(map, "entities_");

Use one of the line, but not both.

Try to debug, if regex works for you, add:

let debug_message = concat("Regex check: ", extractjson);
debug(debug_message);

And check graylog log file: /var/log/graylog-server/server.log

system · August 7, 2020, 7:43am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON List Parsing Graylog Central (peer support)	4	723	March 22, 2019
Not able to extract fields from nested json Graylog Central (peer support)	4	67	July 14, 2024
JsonList parser Graylog Central (peer support) pipeline-rules	12	1154	June 15, 2022
How can i extract json from full_message Graylog Central (peer support)	3	2738	March 9, 2020
Problems with regular expression extractor for json (prior to json extractor) Graylog Central (peer support)	2	896	December 5, 2022

Json Lists Help

Related topics