Hi,
is there a function that I can use in Graylog when a json key has a complex value, like a list of element?
I mean, if I have a json like:
{"DeviceProperties":{Name=OS, Value=MacOs}, {Name=BrowserType, Value=Chrome}}
is there something that can be used to map all of that list values?
For example
DeviceProperties_OS = MacOs and so on
Thanks
Gianluca
I think there is a JSON extractor, there is also parse_json() in the pipeline that you can follow with a set_fields() there were some other posts around here with people using them…
Hi, I used the json Extractor but the result, for list object is not a valid json
It seems to be the java HashMap.toString method output instead.
With this output I cannot work with it as a json
This isn’t a valid json either… 
It’s hard to work with text from a screen shot, use the </> forum tool and paste in actual text. What does the original message look like? I don’t have enough information to make suggestions…
You are right.
The original field contains the correct json text (before json exractor)
{"DeviceProperties":[{"Name":"OS","Value":"MacOs"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"dc4fe5cd-6bbf-4968-946a-51b5e7c4f872"}]}
consider that between the Name and OS I have the correct colons separator key.
After JSon extractor I have the result that I attached in the previous message where
DeviceProperties is the key and the value is a string that I post before that seems a Map.toString output.
As you can see , the quotes are missing too. So I think that the jsonExctractor fails the json parse the the field is an object
Hmmm… I did a little searching - this post here goes into more depth about json… it may help to find what you need…
Thanks a lot for your help
If you find a solution in there - post it up for future searchers - otherwise continue to ask, we’ll figure it out together!
Try the flatten_json function with parameter array_handler = “flatten”
https://docs.graylog.org/docs/functions-1#flatten_json
Hi @tmacgbay
i solved creating my own function after remove double quote and using
let json_tree = parse_json(to_string($message."message_unquote"));
let jsonNode = to_map(json_tree);
my function is named list_fieldKVMap where
for example:
list_fieldKVMap(“DeviceProperties”, jsonNode[“DeviceProperties”], “Name”, “Value”);
So, inside I get the object list and extract the field/value attribute. I add a new field using the parameterKey as key prefix
Remembering the input data:
{“DeviceProperties”:[{“Name”:“OS”,“Value”:“MacOs”},{“Name”:“BrowserType”,“Value”:“Chrome”},{“Name”:“IsCompliantAndManaged”,“Value”:“False”},{“Name”:“SessionId”,“Value”:“dc4fe5cd-6bbf-4968-946a-51b5e7c4f872”}]}
the output is something like this:
With this approach I can reuse this function for other object list changing the attributes that I have to use for new field generation
Gianluca
Great! It would be interesting to have a write up on how to create your own function and put it in the “templates and rules exchange” section. 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
