Parsing nested json object and make as a single filed

Charan_Adabala · July 12, 2018, 10:39am

I have a log file that's an array of objects that looks something like this:

[
{
"cate1": "data1a",
"cate2": "data2a"
},
{
"cate1": "data1b",
"cate2": "data2b"
}
]

but I need output like this can you help me please.

I want to concatenate the first object and second object, can you please help me.

Desired output:

"concatenate_fileds" : "data1a,data2a ## data1b,data2b"

Badger · July 12, 2018, 5:00pm

Apologies if my ruby coding style makes your eyeballs bleed, but

    ruby {
        code => '
            r = ""
            event.get("message").each { |x|
                s = ""
                x.each { |k, v|
                    s += v + ","
                }
                r += s + "##"
            }
            event.set("concatenate_fields", r)
        '
    }
    mutate { gsub => ["concatenate_fields", "[#,]+$", "" ] }

Charan_Adabala · July 13, 2018, 3:39am

Thanks for previous comment, Its help full for me. Can you please help me for below question:

I have this type event

"json": {
	"events": [{
		"parentPid": 8640,
		"eventType": "SYSTEM_API_CALL",
		"userName": "CABLE\\tmorte000",
		"policyState": "NOT_APPLIED",
		"killChainStatus": "INSTALL_RUN",
		"processId": 2704,
		"eventTime": 1530460682534,
		"parentHash": "6da8936fe2ca57ef9113bff6b28b10bd37c72097320c972cc8147666ba41fe48",
		"commandLine": "ACSR.EXE PAZRUSS -execacsr EXECACSR-8640 "
	}, {
		"parentPid": 8640,
		"eventType": "INJECT_CODE",
		"userName": "CABLE\\tmorte000",
		"policyState": "NOT_APPLIED",
		"processMd5Hash": "2329937bd244abc692fb8e5a4e21067a",
		"killChainStatus": "DELIVER_EXPLOIT",
		"processId": 2704,
		"eventTime": 1530460682533,
		"parentHash": "6da8936fe2ca57ef9113bff6b28b10bd37c72097320c972cc8147666ba41fe48",
		"commandLine": "ACSR.EXE PAZRUSS -execacsr EXECACSR-8640 "
	}]
}

I need to parse some fields from this events array, fields are "parentPid","eventType","policyState".

Desired output:
"output_fileds":"8640,SYSTEM_API_CALL,NOT_APPLIED ## 8640,INJECT_CODE,NOT_APPLIED"

Can you please help me on this.

Badger · July 13, 2018, 2:55pm

OK, so just change the core of the loop to be

        event.get("[json][events]").each { |x|
            s = x["parentPid"].to_s + "," + x["eventType"] + "," + x["policyState"]
            r += s + "##"
        }

system · August 10, 2018, 2:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.