Generating events from a nested JSON

Some event sources send events as a nested JSON in a JSON message. The parser can be configured to extract and parse the nested JSON.

Given the following data which contains a nested JSON in one of its objects, payload, the parser needs to be configured using both the MessagePayload property and the JsonNestedPayload property. Example parser configuration and the tokens generated are shown in the table that follows.

{
"payload" :"{\"properties\": {\"storage\": {\"type\": \"object\",\"oneOf\": [ 
{\"$ref\": \"#\/definitions\/diskDevice\"}, {\"$ref\": 
\"#\/definitions\/diskUUID\"},{\"$ref\": \"#\/definitions\/nfs\"},{\"$ref\": 
\"#\/definitions\/tmpfs\"}]},\"fstype\":{\"enum\":[\"ext3\",\"ext4\",\"btrfs\"]},
\"options\":{\"type\":\"array\",\"minItems\":\"1\",\"items\": {\"type\": 
\"string\"},\"uniqueItems\": \"true\"}}}",

    "header": {"options" : "none"},
    "log":{"message":"Alert"}
}
Table 1. Tokens generated
Json parser properties Tokens generated
MessagePayload = “json.payload”
JsonMessageDepth = 1
MessageHeader = “”
JsonNestedPayload = 
          “json.properties.storage”
JsonNestedHeader = “”
resync_event=false
type=object
MessagePayload = “json.payload”
JsonMessageDepth = 2
MessageHeader = “”
JsonNestedPayload = 
          “json.properties.storage”
JsonNestedHeader = “”
enum=ext3,ext4,btrfs
resync_event=false
type=object
MessagePayload = “json.payload”
JsonMessageDepth = 3
MessageHeader = “”
JsonNestedPayload = 
          “json.properties.storage”
JsonNestedHeader = “”
oneOf.0.$ref=#/definitions/diskDevice
oneOf.1.$ref=#/definitions/diskUUID
oneOf.2.$ref=#/definitions/nfs
oneOf.3.$ref=#/definitions/tmpfs
resync_event=false
type=object
MessagePayload = “json.payload”
JsonMessageDepth = 3
MessageHeader = “”
JsonNestedPayload = 
          “json.properties.storage”
JsonNestedHeader = 
          “json.properties.fstype
enum=ext3,ext4,btrfs
oneOf.0.$ref=#/definitions/diskDevice
oneOf.1.$ref=#/definitions/diskUUID
oneOf.2.$ref=#/definitions/nfs
oneOf.3.$ref=#/definitions/tmpfs
resync_event=false
type=object
Note: The fstype object is not under the ‘storage’ object but is also parsed because it is specified as the Header object.
MessagePayload = “json.log”
JsonMessageDepth = 3
MessageHeader = “json.header”
JsonNestedPayload = “”
JsonNestedHeader = “”
message=Alert
options=none
resync_event=false
Note: The resync_event token is not part of the Json message but is generated by the probe for internal use.