Required: JMESPath map function OR list indicator support in JSONSimple

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Required: JMESPath map function OR list indicator support in JSONSimple

L1 Bithead

Struggling with a SimpleJSON prototype integration for Github addresses.

 

Source is here: https://api.github.com/meta

First attempted a very simple extractor config for 'hooks' from the JSON above as an example:

age_out

default: null
interval: 257
sudden_death: true

attributes

confidence: 100
share_level: green
type: IPv4

extractor hooks | {indic:@}
indicator indic
url https://api.github.com/meta

 

This results in error in minemeld 'statsitics' area about parsing (with very little detail as this is a cloud hosted instance from Palo Alto):

METRIC CURRENT HISTORY (LAST 24H)
INDICATORS 0
 
METRIC SINCE
ENGINE START
HISTORY (LAST 24H)
ERROR.PARSING 3

 

Following the guide from: minemeld-to-extract-indicators-from-generic-api JSON Section it specifically mentions that the indicators must be a key/value pair. Perhaps the output of a single "indicator" pointing at a list is not supported? To satisfy this, I worked with the JMESPath.org tool and found the following syntax to use the Map function to provide what I suspect must be required for parsing.

The JMESPath: map(&{"indic":@}, hooks)

Results in the list of key-value pairs as expected:

[
  {
    "indic": "192.30.252.0/22"
  },
  {
    "indic": "185.199.108.0/22"
  },
  {
    "indic": "140.82.112.0/20"
  }
]

 

However, this also fails with 'map function unknown' error. As its not listed under the functions in the JMES specs here, even though JMESPath testing website supports it. Unfortunately this might be a more recent addition not yet supported!

 

Could definitely use some help clearing up the three questions:

  1. Is the use of a list in the indicator supported in the SimpleJSON poller?
    1. First look at code doesn't look like it knows how to deal with anything but str or unicode assuming this is post JSON parse it would be of type list in python.
  2. Will the JMESPath Map function be supported?
  3. Can anyone recommend a solution to this?
    1. My next plan of attack is even though its a JSON API, to treat it as raw text and work with the Text basepoller and regex. Certainly not as clean as a solution.
0 REPLIES 0
  • 1921 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!