Parsing nested JSON arrays

sera123k · December 16, 2019, 3:50am

Hello,

I am trying to parse a message from Office 365 that contains a nested array with some values in each item. I'm not 100% sure how to tackle it, the array i'm working with looks like this:

"targetResources" => [
[0] {
           "displayName" => "Some oAuth App",
                  "type" => "ServicePrincipal",
    "modifiedProperties" => [
        [0] {
            "displayName" => "ConsentContext.IsAdminConsent",
               "oldValue" => nil,
               "newValue" => "\"False\""
        },
        [1] {
            "displayName" => "ConsentContext.IsAppOnly",
               "oldValue" => nil,
               "newValue" => "\"False\""
        },
        [2] {
            "displayName" => "ConsentContext.OnBehalfOfAll",
               "oldValue" => nil,
               "newValue" => "\"False\""
        },
        [3] {
            "displayName" => "ConsentContext.Tags",
               "oldValue" => nil,
               "newValue" => "\"WindowsAzureActiveDirectoryIntegratedApp\""
        },
        [5] {
            "displayName" => "TargetId.ServicePrincipalNames",
               "oldValue" => nil,
               "newValue" => "\"spn_aa\""
        }
    ],
                    "id" => "client_4b"
}
],

I want to be able to create filters and visualizations based on the data in [targetResources][modifiedProperties], like show all documents where ConsentContext.IsAdminConsent.newValue => true. What I think I would need to do is make the value of [targetResources][modifiedProperties][displayName] a field and nest old and new value underneath it like [targetResources][modifiedProperties][ConsentContext.IsAdminConsent][newValue] => false. Is this the correct way to go about it?

The other problem is that I can't seem to figure out how to accomplish it, I can access the values with mutate but in the event there are more than 6 items in the array i'm stuck. I've assumed i'm going to be doing this with ruby and have been reading through a lot of other peoples ruby code but i'm struggling with how the syntax works. I'm able to grab the values directly like the mutate but I can't seem to figure out how to loop through the array and do that to the old and new value objects.

filter {
  ruby {
    code => '
    parent = event.get("[json][modifiedProperties][0][displayName]")
    newkey = parent + ".newValue"
    oldkey = parent + ".oldValue"
    newValue = event.get("[json][modifiedProperties][0][newValue]")
    oldValue = event.get("[json][modifiedProperties][0][oldValue]")
    event.set(newkey, newValue)
    event.set(oldkey, oldValue)'
  }
}

Does anyone have any examples or suggestions on how to accomplish this?

ITIC · December 16, 2019, 7:08am

Hi

You might try with the split filter.

Something like this:

filter {
  split {
    field => "[targetResources][modifiedProperties]"
  }
}

will give you one new event for each entry, regardless of how may there are.

Hope this helps

Badger · December 16, 2019, 3:41pm

Take a look at this.

system · January 13, 2020, 3:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash nested array JSON parsing Logstash	15	12062	October 20, 2017
Nested Json Array parse failure Logstash	10	455	October 30, 2020
How to parse the following nested json Logstash	2	306	November 2, 2021
Parsing nested json Logstash	2	241	September 30, 2020
Parse JSON array with nested objects Logstash	3	230	July 19, 2022

Parsing nested JSON arrays

Related Topics