Hi All,
I have a field with value as a json object as follows
messageParts="[{\"disposition\":\"inline\",\"sha256\":\"f3c958fe6406140b13360a42b3237477dc5bc525f3858f64cca45bf2d02fc771\",\"md5\":\"c87f14af3c845fc6d8b84b15cc48dac0\",\"filename\":\"text.txt\",\"sandboxStatus\":null,\"oContentType\":\"text/plain\",\"contentType\":\"text/plain\"},{\"disposition\":\"inline\",\"sha256\":\"0f2cb440c517252b31fb18f1f4309678091ff39e849b66410d33cea339c21919\",\"md5\":\"70465367bce554e77a6e43b514114737\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"}\]"
How can I transform as follows ?
messageParts.disposition: ["inline, "inline"]
messageParts.sha256: ["f3c958fe6406140b13360a42b3237477dc5bc525f3858f64cca45bf2d02fc771", "0f2cb440c517252b31fb18f1f4309678091ff39e849b66410d33cea339c21919"]
I have tried ruby script and the values do show up as "nil" and not the actual value.
Thanks
Murali
Badger
January 10, 2022, 10:32pm
2
Not tested, but something like
ruby {
code => '
messageParts = event.get("messageParts")
if messageParts.is_a? Array
messageParts.disposition = []
messageParts.sha256 = []
messageParts.each { |h|
messageParts.disposition << h["disposition"]
messageParts.sha256 << h["sha256"]
}
event.set("messageParts.disposition", messageParts.disposition)
event.set("messageParts.sha256", messageParts.sha256)
end
'
}
Hi Badger,
Thanks, I will try out your solution as well. It turned out that the json was not well formatted, so I ended up replacing the extra "\" with "". Then I was able to use the json filter plugin to parse the field.
ruby {
code => '
tmpMessageParts = event.get("messageParts")
tmpMessageParts.gsub!("\\", "")
event.set("messageParts", tmpMessageParts)
'
}
json {
source => "messageParts"
target => "json_messageParts"
}
Output from one doc (just for messageParts field)
"messageParts" => [
[0] {
"sha256" => "8417fa76090411452aff96bb93bbe07aeab0f001f871cefafe76b739ab06cda7",
"md5" => "61d390d413a915e7988713f84ec155b7",
"sandboxStatus" => nil,
"filename" => "text.txt",
"disposition" => "inline",
"oContentType" => "text/plain",
"contentType" => "text/plain"
},
[1] {
"sha256" => "aa05de5c520f2a5e1303ac38ca508014ff7114acc58115af55c94fb1e9eadc52",
"md5" => "4bf5d3c5addf581668a72afaeb53d727",
"sandboxStatus" => nil,
"filename" => "text.html",
"disposition" => "inline",
"oContentType" => "text/html",
"contentType" => "text/html"
}
Thanks
Murali
system
(system)
Closed
February 8, 2022, 3:03pm
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.