cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 4

JSON Parsing

Jump to solution

Hi,

We are trying to Parser for Data Source that is coming from JSON File,

When we assign the filed, everything looks normal and fine, but when we start recieve logs, on the ESM we do not see anything in the Custom types or in the message rule.

does anyone here had this kind of issue and solve it?

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: JSON Parsing

Jump to solution

Hi Dmitry,

The following SR has been opened for this issue & has been submitted to Engineering as a defect.

SR 4-21150377758  - Custom Types not being displayed in events generated from JSON ASP rule.

Attached are the screenshots showing the lab replication results.

We will keep you updated via the service request.

Regards,

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

View solution in original post

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: JSON Parsing

Jump to solution

Dear Customer,

I have been able to successfully replicate the issue in lab. I will be submitting this to SIEM engineering rules team as a defect.

We will inform you about the updates via the service request.

Regards,

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: JSON Parsing

Jump to solution

Hi Dmitry,

The following SR has been opened for this issue & has been submitted to Engineering as a defect.

SR 4-21150377758  - Custom Types not being displayed in events generated from JSON ASP rule.

Attached are the screenshots showing the lab replication results.

We will keep you updated via the service request.

Regards,

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

View solution in original post

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: JSON Parsing

Jump to solution

Following was the reply from Engineering:

Looks like the issue is at the beginning of the file that is imported is a byte order mark.

This causes the json parser to not be able to parse it correctly:

They have 2 options:

1) Remove the byte order mark from the source file and continue to use the json mappings in the rule.

2) Retain the current byte order marking on the file and write regular expressions to match the values they want to map and map them via the regular expression instead of using the json parser.

For Example, we put the following pcre and mapping in their rule for a test and it mapped the value correctly.

pcre:"\x22Type\x22\s*\x3a\s*\x22(?P<test>[^\x22]*)\x22"; var@{Status}:${test};

 

Regards,

 

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community