Extract a field from a text field

RaonyO · May 26, 2022, 9:38pm

I'm trying to extract the fields that come within the "indicator" and "agentDetectionInfo" field, could someone help me?
here's the log in json:

{
  "_index": "xxx",
  "_type": "_doc",
  "_id": "xxxxxhvfUu_M2V8K",
  "_score": 1,
  "fields": {
    "indicators": [
      "[{'category': 'Abnormalities', 'description': 'This binary contains abnormal section names which could be an indication that it was created with non-standard development tools', 'ids': [1], 'tactics': []}, {'category': 'Hiding/Stealthiness', 'description': 'The majority of sections in this PE have high entropy, a sign of obfuscation or packing', 'ids': [29], 'tactics': []}]"
    ],
    "@timestamp": [
      "2022-05-18T12:23:45.251Z"
    ],
    "agentDetectionInfo": [
      "{'accountId': 'xxxx36xx4xxx4xx3', 'accountName': 'XXX Software', 'agentDetectionState': 'full_mode'}"
    ],
}

Tomo_M · May 27, 2022, 3:33am

Hi,

You may need JSON processor of ingest pipeline to parse the string while indexing, or using Logstash or some ETL client to parse the string before indexing the documents.

system · June 24, 2022, 3:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.