Required: JMESPath map function OR list indicator support in JSONSimple

Showing results for 
Search instead for 
Did you mean: 

Required: JMESPath map function OR list indicator support in JSONSimple

L1 Bithead

Struggling with a SimpleJSON prototype integration for Github addresses.


Source is here:

First attempted a very simple extractor config for 'hooks' from the JSON above as an example:


default: null
interval: 257
sudden_death: true


confidence: 100
share_level: green
type: IPv4

extractor hooks | {indic:@}
indicator indic


This results in error in minemeld 'statsitics' area about parsing (with very little detail as this is a cloud hosted instance from Palo Alto):



Following the guide from: minemeld-to-extract-indicators-from-generic-api JSON Section it specifically mentions that the indicators must be a key/value pair. Perhaps the output of a single "indicator" pointing at a list is not supported? To satisfy this, I worked with the tool and found the following syntax to use the Map function to provide what I suspect must be required for parsing.

The JMESPath: map(&{"indic":@}, hooks)

Results in the list of key-value pairs as expected:

    "indic": ""
    "indic": ""
    "indic": ""


However, this also fails with 'map function unknown' error. As its not listed under the functions in the JMES specs here, even though JMESPath testing website supports it. Unfortunately this might be a more recent addition not yet supported!


Could definitely use some help clearing up the three questions:

  1. Is the use of a list in the indicator supported in the SimpleJSON poller?
    1. First look at code doesn't look like it knows how to deal with anything but str or unicode assuming this is post JSON parse it would be of type list in python.
  2. Will the JMESPath Map function be supported?
  3. Can anyone recommend a solution to this?
    1. My next plan of attack is even though its a JSON API, to treat it as raw text and work with the Text basepoller and regex. Certainly not as clean as a solution.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!