Hi,
is there a function that I can use in Graylog when a json key has a complex value, like a list of element?
I mean, if I have a json like:
{"DeviceProperties":{Name=OS, Value=MacOs}, {Name=BrowserType, Value=Chrome}}
is there something that can be used to map all of that list values?
For example
DeviceProperties_OS = MacOs and so on
Thanks
Gianluca
I think there is a JSON extractor, there is also parse_json() in the pipeline that you can follow with a set_fields() there were some other posts around here with people using them…
Hi, I used the json Extractor but the result, for list object is not a valid json
It seems to be the java HashMap.toString method output instead.
With this output I cannot work with it as a json
This isn’t a valid json either… 
It’s hard to work with text from a screen shot, use the </> forum tool and paste in actual text. What does the original message look like? I don’t have enough information to make suggestions…
You are right.
The original field contains the correct json text (before json exractor)
{"DeviceProperties":[{"Name":"OS","Value":"MacOs"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"dc4fe5cd-6bbf-4968-946a-51b5e7c4f872"}]}
consider that between the Name and OS I have the correct colons separator key.
After JSon extractor I have the result that I attached in the previous message where
DeviceProperties is the key and the value is a string that I post before that seems a Map.toString output.
As you can see , the quotes are missing too. So I think that the jsonExctractor fails the json parse the the field is an object
Hmmm… I did a little searching - this post here goes into more depth about json… it may help to find what you need…
Thanks a lot for your help
If you find a solution in there - post it up for future searchers - otherwise continue to ask, we’ll figure it out together!
Try the flatten_json function with parameter array_handler = “flatten”
https://docs.graylog.org/docs/functions-1#flatten_json
Hi @tmacgbay
i solved creating my own function after remove double quote and using
let json_tree = parse_json(to_string($message."message_unquote"));
let jsonNode = to_map(json_tree);
my function is named list_fieldKVMap where
for example:
list_fieldKVMap(“DeviceProperties”, jsonNode[“DeviceProperties”], “Name”, “Value”);
So, inside I get the object list and extract the field/value attribute. I add a new field using the parameterKey as key prefix
Remembering the input data:
{“DeviceProperties”:[{“Name”:“OS”,“Value”:“MacOs”},{“Name”:“BrowserType”,“Value”:“Chrome”},{“Name”:“IsCompliantAndManaged”,“Value”:“False”},{“Name”:“SessionId”,“Value”:“dc4fe5cd-6bbf-4968-946a-51b5e7c4f872”}]}
the output is something like this:
With this approach I can reuse this function for other object list changing the attributes that I have to use for new field generation
Gianluca
Great! It would be interesting to have a write up on how to create your own function and put it in the “templates and rules exchange” section. 
I second that what @tmacgbay stated
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
