Looking for some advice to parse FW events coming in from Azure EventHub

Franky Laarits

hi all, Looking for some advice to parse FW events coming in from Azure EventHub. I have the feed working, but not having any success parsing the data. I tried running it thru a pipeline using parser, but it's not working. Here's what it looks like coming in: Any suggestions?

Johan Woger

hey, unroll function will be your new friend. After that you have splitted it up into multiple events and you can parse records field with parser function

Franky Laarits

i'll try it out. Thanks!

Jon Rust

i would use the JSON array event breaker rule so that it's unrolled right off the bat.

Jon Rust

another plug for the recently added EB Sandbox, as well as the <https://www.youtube.com/watch?v=kh6rTvw3tCU|Cribl Bytes video> on the topic)

Johan Woger

Does this also work with EventHub source? There you can´t add an event breaker and inside of the pipeline it not works for me with that kind of format. It get parsed but not break into separate events with Json array function.

Jon Rust

ahhh. snap. There are some sources without an EB option. EH may be one of those. Sorry to get your hopes up!

Jon Rust

EB or Unroll in-pipeline is the alternate choice

Johan Woger

yes, but would be nice to have it there :slightly_smiling_face:

Franky Laarits

there's no EB for EH, unfortunately. Unroll seems to do the job.

Franky Laarits

thanks, btw.