Manipulating array of JSON objects

cappy · October 26, 2018, 11:53am

Hello,

I have an array of objects named sections like so:

{
  "structure": "IMAGE_SECTION_HEADER",
  "name": ".text",
  "flags": [
    "IMAGE_SCN_CNT_CODE",
    "IMAGE_SCN_MEM_EXECUTE",
    "IMAGE_SCN_MEM_READ"
  ]
},
{
  "structure": "IMAGE_SECTION_HEADER",
  "name": ".rdata",
  "flags": [
    "IMAGE_SCN_CNT_INITIALIZED_DATA",
    "IMAGE_SCN_MEM_READ"
  ]
},
{
  "structure": "IMAGE_SECTION_HEADER",
  "name": ".idata",
  "flags": [
    "IMAGE_SCN_CNT_INITIALIZED_DATA",
    "IMAGE_SCN_MEM_READ",
    "IMAGE_SCN_MEM_WRITE"
  ]
}

I would like to dynamically create fields like so (basically set the whole object for each name as the value for the newly created field):

sections.text : 

{
  "structure": "IMAGE_SECTION_HEADER",
  ".name": ".text",
  "flags": [
    "IMAGE_SCN_CNT_CODE",
    "IMAGE_SCN_MEM_EXECUTE",
    "IMAGE_SCN_MEM_READ"
  ]
}

The following Ruby code works fine for setting the field name, however, I am not able to populate the entire object into the value:

ruby {
  code => "event.get('sections').each {|hash| event.set('[new_sections][' + hash['name'].gsub('.', '') + ']', hash['value'])};" 
}

How would I access the current object that event.get('sections').each would be looking at to set that as the value for the hash in the event.set portion?

Any advice would be much appreciated. Thanks!

guyboertje · November 2, 2018, 4:39pm

Try this:

input {
  generator {
    message => '{"sections":[
{
  "structure": "IMAGE_SECTION_HEADER", "name": ".text",
  "flags": ["IMAGE_SCN_CNT_CODE", "IMAGE_SCN_MEM_EXECUTE", "IMAGE_SCN_MEM_READ"]
},{
  "structure": "IMAGE_SECTION_HEADER", "name": ".rdata",
  "flags": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ"]
},{
  "structure": "IMAGE_SECTION_HEADER",
  "name": ".idata",
  "flags": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ", "IMAGE_SCN_MEM_WRITE"]
}]}'
    count => 1
  }
}

filter {
  json {
    source => "message"
    remove_field => ["message"]
  }
  ruby {
    code => '
hash = {}
event.get("sections").each do |section|
  # use fetch on the section hash so that gsub will always have a string to work with
  name_value = section.fetch("name", "no_name").gsub(/^\./, "")
  hash[name_value] = section
end
event.set("new_sections", hash)'
  }
}

output {
  stdout {
    codec => rubydebug
  }
}

Result:

{
        "@version" => "1",
        "sequence" => 0,
        "sections" => [
        [0] {
            "structure" => "IMAGE_SECTION_HEADER",
                 "name" => ".text",
                "flags" => [
                [0] "IMAGE_SCN_CNT_CODE",
                [1] "IMAGE_SCN_MEM_EXECUTE",
                [2] "IMAGE_SCN_MEM_READ"
            ]
        },
        [1] {
            "structure" => "IMAGE_SECTION_HEADER",
                 "name" => ".rdata",
                "flags" => [
                [0] "IMAGE_SCN_CNT_INITIALIZED_DATA",
                [1] "IMAGE_SCN_MEM_READ"
            ]
        },
        [2] {
            "structure" => "IMAGE_SECTION_HEADER",
                 "name" => ".idata",
                "flags" => [
                [0] "IMAGE_SCN_CNT_INITIALIZED_DATA",
                [1] "IMAGE_SCN_MEM_READ",
                [2] "IMAGE_SCN_MEM_WRITE"
            ]
        }
    ],
      "@timestamp" => 2018-11-02T16:24:39.731Z,
    "new_sections" => {
         "text" => {
            "structure" => "IMAGE_SECTION_HEADER",
                 "name" => ".text",
                "flags" => [
                [0] "IMAGE_SCN_CNT_CODE",
                [1] "IMAGE_SCN_MEM_EXECUTE",
                [2] "IMAGE_SCN_MEM_READ"
            ]
        },
        "rdata" => {
            "structure" => "IMAGE_SECTION_HEADER",
                 "name" => ".rdata",
                "flags" => [
                [0] "IMAGE_SCN_CNT_INITIALIZED_DATA",
                [1] "IMAGE_SCN_MEM_READ"
            ]
        },
        "idata" => {
            "structure" => "IMAGE_SECTION_HEADER",
                 "name" => ".idata",
                "flags" => [
                [0] "IMAGE_SCN_CNT_INITIALIZED_DATA",
                [1] "IMAGE_SCN_MEM_READ",
                [2] "IMAGE_SCN_MEM_WRITE"
            ]
        }
    },
            "host" => "Elastics-MacBook-Pro.local"
}

system · November 30, 2018, 4:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.