Removing fields using mutate (JSON)

dsever · September 9, 2016, 9:05am

Hi,

While parsing some json logs I'm getting into problem with unavailability to remove one subfield,
for instance this is my JSON

"alert": [ { "src": { "url": "xxxx",
"domain": "xxxx",
"smtp-mail-from": "xxxxxxxx"
},
"severity": "xxxx",
"dst": { "smtp-to": "xxxxx"
},
"explanation": {
"protocol": "",
"service": "xxxxxx",
"analysis": "binary",
"os-changes": [ {XXXXXXX

Using
remove_field => ["json","message","[alert][explanation]] i can successfully remove til the field explanation but it cuts to much, so I need to cut it as os-changes as last filed.

But I get stuck into problem that buttom example doesn't cut os-changes

remove_field => ["json","message","[alert][explanation][os-changes]"]

Thanks
Dubravko

magnusbaeck · September 9, 2016, 9:22am

So you want to remove the os-changes subfield? It would be more obvious if you showed us what you want the resulting event to look like.

dsever · September 9, 2016, 10:47am

Hi,

Hi just want to remove fileld os-changes

"alert": [ { "src":
{ "url": "xxxx",
"domain": "xxxx",
"smtp-mail-from": "xxxxxxxx"
},
"severity": "xxxx",
"dst": { "smtp-to": "xxxxx"
},
"explanation": {
"protocol": "",
"service": "xxxxxx",
"analysis": "binary",
"os-changes": [ {XXXXXXX }] # and want to remove all included in os-changes array, because i contains a lots of data that is only overhead to our system, it should be simple
}

}
]

I suppose syntax would be
remove_field => ["json","message","[alert][explanation][os-changes]"]

but for some reason it doesn't work, I'm still getting filed os-changes and its subfields.
Dubravko

magnusbaeck · September 9, 2016, 10:50am

Okay. alert is an array so you need [alert][0][explanation][os-changes] to access the first element of it

dsever · September 9, 2016, 10:56am

So simple
Thanks, it works

system · July 6, 2017, 4:39am