Json nested field

kvmuralidhar · January 10, 2022, 5:49pm

Hi All,

I have a field with value as a json object as follows

messageParts="[{\"disposition\":\"inline\",\"sha256\":\"f3c958fe6406140b13360a42b3237477dc5bc525f3858f64cca45bf2d02fc771\",\"md5\":\"c87f14af3c845fc6d8b84b15cc48dac0\",\"filename\":\"text.txt\",\"sandboxStatus\":null,\"oContentType\":\"text/plain\",\"contentType\":\"text/plain\"},{\"disposition\":\"inline\",\"sha256\":\"0f2cb440c517252b31fb18f1f4309678091ff39e849b66410d33cea339c21919\",\"md5\":\"70465367bce554e77a6e43b514114737\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"}\]"

How can I transform as follows ?

messageParts.disposition: ["inline, "inline"]
messageParts.sha256: ["f3c958fe6406140b13360a42b3237477dc5bc525f3858f64cca45bf2d02fc771", "0f2cb440c517252b31fb18f1f4309678091ff39e849b66410d33cea339c21919"]

I have tried ruby script and the values do show up as "nil" and not the actual value.

Thanks
Murali

Badger · January 10, 2022, 10:32pm

Not tested, but something like

ruby {
    code  => '
        messageParts = event.get("messageParts")
        if messageParts.is_a? Array
            messageParts.disposition = []
            messageParts.sha256 = []
            messageParts.each { |h|
                messageParts.disposition << h["disposition"]
                messageParts.sha256 << h["sha256"]
            }
            event.set("messageParts.disposition", messageParts.disposition)
            event.set("messageParts.sha256", messageParts.sha256)
        end
    '
}

kvmuralidhar · January 11, 2022, 3:02pm

Hi Badger,

Thanks, I will try out your solution as well. It turned out that the json was not well formatted, so I ended up replacing the extra "\" with "". Then I was able to use the json filter plugin to parse the field.

     ruby {
         code => '
            tmpMessageParts = event.get("messageParts")
            tmpMessageParts.gsub!("\\", "")
            event.set("messageParts", tmpMessageParts)
         '
      }

      json {
         source => "messageParts"
         target => "json_messageParts"
      }

Output from one doc (just for messageParts field)

           "messageParts" => [
        [0] {
                   "sha256" => "8417fa76090411452aff96bb93bbe07aeab0f001f871cefafe76b739ab06cda7",
                      "md5" => "61d390d413a915e7988713f84ec155b7",
            "sandboxStatus" => nil,
                 "filename" => "text.txt",
              "disposition" => "inline",
             "oContentType" => "text/plain",
              "contentType" => "text/plain"
        },
        [1] {
                   "sha256" => "aa05de5c520f2a5e1303ac38ca508014ff7114acc58115af55c94fb1e9eadc52",
                      "md5" => "4bf5d3c5addf581668a72afaeb53d727",
            "sandboxStatus" => nil,
                 "filename" => "text.html",
              "disposition" => "inline",
             "oContentType" => "text/html",
              "contentType" => "text/html"
        }

Thanks
Murali

system · February 8, 2022, 3:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.