Parsing a JSON array of objects with field-value

tatdat · September 7, 2017, 3:23am

I have some log look like

{
	"ExtendedProperties": [
		{
			"Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393",
			"Name": "UserAgent"
		},
		{
			"Value": "65",
			"Name": "UserAuthenticationMethod"
		},
		{
			"Value": "OAuth2:Authorize",
			"Name": "RequestType"
		},
		{
			"Value": "Success",
			"Name": "ResultStatusDetail"
		},
		{
			"Value": "False",
			"Name": "KeepMeSignedIn"
		}
	]
}

I used split filter like this

if [o365-azure] {
      split {
        field => "[o365][ExtendedProperties]"
      }
    }

But i got data one of element in array only llike this

"ExtendedProperties": {
        "Value": "Success",
        "Name": "ResultStatusDetail"
      }

I want data after filter success look like

"ExtendedProperties": {
      "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393",
      "UserAuthenticationMethod": "65",
      "RequestType": "OAuth2:Authorize",
      "ResultStatusDetail": "Success",
      "KeepMeSignedIn": "False"
}

How can do it? Thanks !

magnusbaeck · September 7, 2017, 5:37am

You'll have to use a ruby filter. Similar things have been discussed here in the past month so you should be able to find examples in the archives.

system · October 5, 2017, 5:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.