Generating events from a nested JSON

Some event sources send events as a nested JSON in a JSON message. The parser can be configured to extract and parse the nested JSON.

Given the following data which contains a nested JSON in one of its objects, payload, the parser needs to be configured using both the MessagePayload property and the JsonNestedPayload property. Example parser configuration and the tokens generated are shown in the table that follows.

{
"payload" :"{\"properties\": {\"storage\": {\"type\": \"object\",\"oneOf\": [ 
{\"$ref\": \"#\/definitions\/diskDevice\"}, {\"$ref\": 
\"#\/definitions\/diskUUID\"},{\"$ref\": \"#\/definitions\/nfs\"},{\"$ref\": 
\"#\/definitions\/tmpfs\"}]},\"fstype\":{\"enum\":[\"ext3\",\"ext4\",\"btrfs\"]},
\"options\":{\"type\":\"array\",\"minItems\":\"1\",\"items\": {\"type\": 
\"string\"},\"uniqueItems\": \"true\"}}}",

    "header": {"options" : "none"},
    "log":{"message":"Alert"}
}

Table 1. Tokens generated
Json parser properties	Tokens generated
`MessagePayload = “json.payload” JsonMessageDepth = 1 MessageHeader = “” JsonNestedPayload = “json.properties.storage” JsonNestedHeader = “”`	`resync_event=false type=object`
`MessagePayload = “json.payload” JsonMessageDepth = 2 MessageHeader = “” JsonNestedPayload = “json.properties.storage” JsonNestedHeader = “”`	`enum=ext3,ext4,btrfs resync_event=false type=object`
`MessagePayload = “json.payload” JsonMessageDepth = 3 MessageHeader = “” JsonNestedPayload = “json.properties.storage” JsonNestedHeader = “”`	`oneOf.0.$ref=#/definitions/diskDevice oneOf.1.$ref=#/definitions/diskUUID oneOf.2.$ref=#/definitions/nfs oneOf.3.$ref=#/definitions/tmpfs resync_event=false type=object`
`MessagePayload = “json.payload” JsonMessageDepth = 3 MessageHeader = “” JsonNestedPayload = “json.properties.storage” JsonNestedHeader = “json.properties.fstype”`	`enum=ext3,ext4,btrfs oneOf.0.$ref=#/definitions/diskDevice oneOf.1.$ref=#/definitions/diskUUID oneOf.2.$ref=#/definitions/nfs oneOf.3.$ref=#/definitions/tmpfs resync_event=false type=object` Note: The `fstype` object is not under the ‘storage’ object but is also parsed because it is specified as the Header object.
`MessagePayload = “json.log” JsonMessageDepth = 3 MessageHeader = “json.header” JsonNestedPayload = “” JsonNestedHeader = “”`	`message=Alert options=none resync_event=false`

Note: The resync_event token is not part of the Json message but is generated by the probe for internal use.