hi all,Looking for some advice to parse FW events coming in from Azure EventHub. I have the feed working, but not having any success parsing the data. I tried running it thru a pipeline using parser, but it's not working. Here's what it looks like coming in:Any suggestions?
Page 1 / 1
hey, unroll function will be your new friend. After that you have splitted it up into multiple events and you can parse records field with parser function
i would use the JSON array event breaker rule so that it's unrolled right off the bat.
another plug for the recently added EB Sandbox, as well as the <
https://www.youtube.com/watch?v=kh6rTvw3tCU|Cribl Bytes video> on the topic)
Does this also work with EventHub source? There you can´t add an event breaker and inside of the pipeline it not works for me with that kind of format. It get parsed but not break into separate events with Json array function.
ahhh. snap. There are some sources without an EB option. EH may be one of those. Sorry to get your hopes up!
EB or Unroll in-pipeline is the alternate choice
yes, but would be nice to have it there 
there's no EB for EH, unfortunately. Unroll seems to do the job.
thanks, btw.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.