Looking for some advice to parse FW events coming in from Azure EventHub
hi all, Looking for some advice to parse FW events coming in from Azure EventHub. I have the feed working, but not having any success parsing the data. I tried running it thru a pipeline using parser, but it's not working. Here's what it looks like coming in: Any suggestions?
Answers
-
hey, unroll function will be your new friend. After that you have splitted it up into multiple events and you can parse records field with parser function
0 -
i'll try it out. Thanks!
0 -
i would use the JSON array event breaker rule so that it's unrolled right off the bat.
0 -
another plug for the recently added EB Sandbox, as well as the <
https://www.youtube.com/watch?v=kh6rTvw3tCU|Cribl Bytes video> on the topic)0 -
Does this also work with EventHub source? There you can´t add an event breaker and inside of the pipeline it not works for me with that kind of format. It get parsed but not break into separate events with Json array function.
0 -
ahhh. snap. There are some sources without an EB option. EH may be one of those. Sorry to get your hopes up!
0 -
EB or Unroll in-pipeline is the alternate choice
0 -
yes, but would be nice to have it there :slightly_smiling_face:
0 -
there's no EB for EH, unfortunately. Unroll seems to do the job.
0 -
thanks, btw.
0
