Re: merge in parser extension overwrites the value...

shahhe · 01-17-2024 07:15 PM

I am writing parser extension and want to update security_result.description field.

if [@computed][message] != "" {

mutate {

replace => {

"security_result.description" => "%{@computed.message}"

}

mutate {

merge => {

"event.idm.read_only_udm.security_result" => "security_result"

}

mutate {

merge => {

"@output" => "event"

}

end result is that all other security_results fields are deleted, I see description field only.

How can I add description field?

vgera

I also have the same question, can someone please provide an answer?

verma7463

Hello,

I am also facing issue, can someone please update how can we handle this?

chronicle_grok

what other security_results fields are there in other parts of the parser?
usually when I use security_result.* I assign a number for every single fields

verma7463

Other security_result fields are like security_result.category, securit_result.severity, securit_result.threat_name, securit_result.threat_status, etc

citreno

Bug/Known issue afaik, arrays get overriden and since security_result is an array/repeated field we just avoid putting anything in it via extension. Unfortunately this field is not really workable through parser extensions, we just avoid it. You can use a different field and file a feature request.

merge in parser extension overwrites the value instead of merging