You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@metron.apache.org by "Laurens Vets (JIRA)" <ji...@apache.org> on 2017/08/11 20:48:00 UTC

[jira] [Created] (METRON-1106) JSONMap parser doesn't parse square brackets.

Laurens Vets created METRON-1106:
------------------------------------

             Summary: JSONMap parser doesn't parse square brackets.
                 Key: METRON-1106
                 URL: https://issues.apache.org/jira/browse/METRON-1106
             Project: Metron
          Issue Type: Bug
    Affects Versions: 0.4.0, 0.4.1
         Environment: Metron 0.4.0 and most likely later versions as well.
            Reporter: Laurens Vets
            Assignee: Otto Fowler


While using the JSONMap parser with "mapStrategy":"UNFOLD", it seems that square brackets aren't parsed out.

For instance, this AWS event:

{"eventVersion":"1.05","userIdentity":{"type":"AWSService","invokedBy":"ec2.amazonaws.com"},"eventTime":"2017-08-11T13:43:23Z","eventSource":"sts.amazonaws.com","eventName":"AssumeRole","awsRegion":"eu-central-1","sourceIPAddress":"ec2.amazonaws.com","userAgent":"ec2.amazonaws.com","requestParameters":{"roleSessionName":"<ROLE_SESSION_NAME>","roleArn":"arn:aws:iam::<AWS_ID>:role/<ROLE_ID>"},"responseElements":{"credentials":{"sessionToken":"<SESSION_TOKEN>","accessKeyId":"<ACCESS_KEY_ID>","expiration":"Aug 11, 2017 7:48:35 PM"}},"requestID":"<REQUEST_ID>","eventID":"<EVENT_ID>","resources":[{"ARN":"arn:aws:iam::<AWS_ID>:role/<ROLE_ID>","accountId":"<AWS_ID>","type":"AWS::IAM::Role"}],"eventType":"AwsApiCall","recipientAccountId":"<AWS_ID>","sharedEventID":"<SHARED_EVENT_ID>"}

Contains:

"resources": [{
"ARN": "arn:aws:iam::<AWS_ID>:role/<ROLE_ID>",
"accountId": "<AWS_ID>",
"type": "AWS::IAM::Role"
}
],

I would expect this is parsed out as:

resources.accountId: "<AWS_ID>"
resources.type: "AWS::IAM::Role"
resources.ARN: "arn:aws:iam::<AWS_ID>:role/<ROLE_ID>"

However, in Kibana, I see the following content for the field "resources" (pasted as it appears in Kibana):

{
  "accountId": "<AWS_ID>",
  "type": "AWS::IAM::Role",
  "ARN": "arn:aws:iam::<AWS_ID>:role/<ROLE_ID>"
}

Additionally, Kibana will show the error message "Objects in arrays are not well supported."



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)