Parsing nested JSON message

Hi All,

I have a nested JSON log file which I need to parse, using the following parser I was able to extract few fields. But I was not able to extract fields within the field.

e.g.I was able to extract “actor” but not ID,USER,DispalyName etc.The output for the field “actor” displays everything as it is.

{“actor”: {“id”: “00uidek465d6qLja356”, “type”: “User”, “alternateId”: "", “displayName”: “abc abc”, “detailEntry”: null},

---------------Sample parser ----------------------
rule “Logs extract-JSON”
starts_with(to_string($message.message), “{”) && ends_with(to_string($message.message), “}”)
let json = parse_json(to_string($message.message));
let map = to_map(json);

{“actor”: {“id”: “00uidek465d6qLja356”, “type”: “User”, “alternateId”: "", “displayName”: “abc abc”, “detailEntry”: null}, “client”: {“userAgent”: {“rawUserAgent”: “Mozilla/4.0 (compatible; MiIE 7.0; Windows NT 9.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Zoom 3.6.0)”, “os”: “Windows 7”, “browser”: “IE7”}, “zone”: “null”, “device”: “Computer”, “id”: null, “ipAddress”: “”, “geographicalContext”: {“city”: “San Jose”, “state”: “California”, “country”: “United States”, “postalCode”: “90112”, “geolocation”: {“lat”: 39.3512, “lon”: -111.8846}}}, “authenticationContext”: {“authenticationProvider”: null, “credentialProvider”: null, “credentialType”: null, “issuer”: null, “interface”: null, “authenticationStep”: 0, “externalSessionId”: “102Mh1Jym_QSmxxxxxxs5P32g”}, “displayMessage”: “User single sign on to app”, “eventType”: “user.authentication.sso”, “outcome”: {“result”: “SUCCESS”, “reason”: null}, “published”: “2019-10-02T15:30:51.056Z”, “securityContext”: {“asNumber”: 7518, “asOrg”: “xyz”, “isp”: “ccb services inc”, “domain”: “”, “isProxy”: false}, “severity”: “INFO”, “debugContext”: {“debugData”: {“initiationType”: “SP_INITIATED”, “authnRequestId”: “XZTCqX25xxxxxxxxxwrHgAAAZk”, “requestId”: “XZTCqn25oxxxxxxxxxwrMgAAAZk”, “signOnMode”: “SAML 1.0”, “requestUri”: “/login/sessionCookieRedirect”, “url”: “/login/sessionCookieRedirect?”}}, “legacyEventType”: “app.auth.sso”, “transaction”: {“type”: “WEB”, “id”: “XZTCqn25oBxxxxxxxxxxMgAAAZk”, “detail”: {}}, “uuid”: “9d8353af-e529-11e9-9fc4-7731adf66d32”, “version”: “0”, “request”: {“ipChain”: [{“ip”: “”, “geographicalContext”: {“city”: “San Jose”, “state”: “California”, “country”: “United States”, “postalCode”: “90112”, “geolocation”: {“lat”: 39.3512, “lon”: -111.8846}}, “version”: “V4”, “source”: null}]}, “target”: [{“id”: “0oai6h29kzos2ywF9356”, “type”: “AppInstance”, “alternateId”: “RingCentral”, “displayName”: “RingCentral”, “detailEntry”: {“signOnModeType”: “SAML_2_0”}}, {“id”: “0uaidqzxxxxxxxxKC356”, “type”: “AppUser”, “alternateId”: "", “displayName”: “abc abc”, “detailEntry”: null}]}

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.