How to I output my JSON so that it looks like this
[{"value":"main.abc.com","risk":"High","type":"fqdn","notes":"suspect"}]
Its currently outputting like this
{"domain_data":[{"value":"main.abc.com","risk":"High","type":"fqdn","notes":"suspect"}]}
So I need to drop the "domain_data" field.
My filter is currently as follows:
input {
http_poller {
urls => {
domain_data => {
method => "get"
url => "https://api.test.com/api/v2/test/"
headers => {
"authorization" => "apikey <api_user>:<api_key>"
Accept => "application/json"
}
}
}
truststore => "/home/test/ca.test.com.jks"
truststore_password => "<truststore-password>"
request_timeout => 60
schedule => { cron => "* * * * * UTC" }
codec => "json"
}
}
filter {
ruby {
code => "
domain_list = []
# Get the 'objects' array from the event
objects = event.get('objects')
if objects
# Iterate through each object in the 'objects' array
objects.each do |object|
value = object['value']
if value
# Initialize a hash to store data for each entry
entry_info = {
'value' => value,
'notes' => 'suspect',
'type' => 'fqdn'
}
# Assign risk (threat level) based on the 'threatscore'
threatscore = object['threatscore']
if threatscore
case threatscore
when 1..50
entry_info['risk'] = 'Low'
when 51..70
entry_info['risk'] = 'Medium'
when 71..85
entry_info['risk'] = 'High'
when 86..100
entry_info['risk'] = 'Critical'
else
entry_info['risk'] = 'unknown'
end
end
# Add the info hash to the list
domain_list << entry_info
end
end
end
# Remove duplicates based on 'value'
domain_list.uniq! { |item| item['value'] }
# Set the extracted values to 'mal_url_data' in the event
event.set('domain_data', domain_list)
"
}
mutate {
remove_field => ["objects"]
remove_field => ["@version"]
remove_field => ["@timestamp"]
remove_field => ["meta"]
}
}
output {
stdout {
codec => rubydebug
}
file {
codec => "json"
path => ["/usr/share/logstash/bin/domain.json"]
}