This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

SIEM search filter by numeric additional.fields

Posted 3 weeks ago
chroniclearner
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a log source which parses out a field into additional.fields["Num_cloned_repos"]. The value is parsed as a numeric value. The parser code is as follows

 

if [Num_cloned_repos] != "" {
    mutate {
        replace => {
            "Num_cloned_repos_label.key" => "Num_cloned_repos"
        }
        rename => {
            "Num_cloned_repos" => "Num_cloned_repos_label.value.number_value"
        }
    }
    mutate {
        merge => {
            "additional.fields" => "Num_cloned_repos_label"
        }
    }
}

 

 While searching in SIEM search, I want to add a filter to only display events where Num_cloned_repos = 2

When I try below query, I get an error

 

metadata.log_type = "<LOG_TYPE>" and additional.fields["Num_cloned_repos"] = 2

 

compilation error validating query: type mismatch between "query.udm.additional.fields[Num_cloned_repos]" of type string and "2" of type int line: 1 column: 46-79 : invalid argument


When I try below query, I get an error

 

metadata.log_type = "<LOG_TYPE>" and additional.fields.key = "Num_cloned_repos" and additional.fields.value.number_value = 2

 

compilation error generating predicates: predicate conversion for filter expressions failed: dot syntax for map requires field path to end in "key" or "string_value" subfield: invalid argument

 How do I search a numeric additional.fields in SIEM search?

0 1 43
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
JeremyLand
Staff
Reply posted on --/--/---- --:-- AM

@chroniclearner It looks like that value is being parsed as a string instead of an integer, you can use the convert function of the mutate filter to change it to an integer in the parser. Once it is stored as an int the first search example you provided should work.

https://cloud.google.com/chronicle/docs/reference/parser-syntax#convert_functions

On further investigation it turns out the search functions (both UDM and Yara-L) are looking at the `additional.fields.value.string_value` field.  If you update your parser to write to the `string_value` field instead of `number_value` you will be able to do string matching against it as normal. 

0 Likes
Top Solution Authors
View all