Separate array into individual events

Question

I have a JSON file that I am ingesting into CRIBL. I have created a pipeline with the following functions “JSON Unroll” which is then followed by the “Parser” function with the following settings (Operation mode = extract; Type=JSON Object, Source Field = _raw).

My single event now has a new field created called “records:” with what appears to be multiple arrays for each record (there are in excess of 250) with this

records:
{}0:
a account_id: xxxxxxxxxx
a account_name: xxxxxxxx
a owner: xxxxxxxxx
a cost: xxxxxxxxxx
a group: xxxxxxxxxxxx
a reporter: xxxxxxxxxxxxx
{}1:
a account_id: yyyyyyyyyyy
a account_name: yyyyyyyyyyy
a owner: yyyyyyyyyyy
a cost: yyyyyyyyyyy
a group: yyyyyyyyyyy
a reporter: yyyyyyyyyyy
{}2:
a account_id: zzzzzzzzzzzzz
a account_name: zzzzzzzzzzzzz
a owner: zzzzzzzzzzzzz
a cost: zzzzzzzzzzzzz
a group: zzzzzzzzzzzzz
a reporter: zzzzzzzzzzzzz

etc…

I am running CRIBL version 3.5.1. I am trying to separate each of these records into an individual event. So in my example above {}0 with its 6 fields would be 1 event, {}1 with its 6 fields would be the 2nd event etc.

I have tried using various functions but can’t seem to get this to work. Would like to understand what the best way would be to do this.

Draco3 · Answer

Thanks to CRIBL support, it was identified that the function unroll was required and this did the job.

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded