Please help
Trying to parse json
My Pipeline:
rule “extract_json”
when
has_field(“json”)
then
parse_json(to_string($message.json));
end
Below is the error i get in the graylog log
exception_message
Unrecognized character escape ‘a’ (code 97)
at [Source:
{“atp_protocol”:“rrs”,“data_direction”:1,“data_source_ip”:null,“data_source_url”:null,“data_source_url_domain”:null,“data_source_url_referer”:null,“device_ip”:“xxx.xx.xx.xxx”,“device_name”:“xxxxxx”,“device_time”:“2018-12-22T03:32:42.710Z”,“device_uid”:“1ec71456-6d43-4e89-824a-108cffe408fa”,“disposition”:1,“downloaded_portal_id”:null,“enterprise_uid”:“AF6158E4770CFA9CCA9F85E22ED85FB8”,“external_ip”:null,“feature_name”:“ATP:Endpoint”,“feature_ver”:“2014.2.0”,“file”:{“attributes”:null,“confidence”:4,“confidence_atp”:4,“desc”:null,“disposition”:1,“disposition_atp”:1,“file_age”:null,“first_seen”:null,“folder”:“CSIDL_WINDOWS\assembly ativeimages_v2.0.50727_32\microsoft.visualstu#\a95c7cb1fd41f7b018c53bd4c05424ed”,“md5”:“b59aae7e1f317f87ce0baf5d2867d6c5”,“name”:“Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll”,“prevalence”:0,“prevalence_band”:0,“reputation_band”:4,“sha2”:“aa6faa778cb4f4b7a7e548143415b1c9c8afa48b38e8892418d13b85c2951800”,“signature_company_name”:null,“signature_issuer”:null,“signature_serial_number”:null,“size”:134144},“id”:2,“initiating_engine”:null,“parent_file_name”:null,“parent_file_sha2”:null,“parent_installer_url”:null,“product_name”:“ATP:Endpoint”,“request_reason”:null,“rule_id”:null,“rule_version”:0,“sep_mid”:“766fe06491274fd38dabb35390988fc9”,“type_id”:4096,“zone_id”:null,“user_name”:“xxxxxxxxx”,“sep_installed”:true}; line: 1, column: 629]
It is always different Unrecognized character escape. I guess here at - WINDOWS\assembly - it recognize backslash as escape.
Any advice?
Thanks.