JSON Input Transformer Path Specification

Question

I am trying to transform the following JSON log: (AWS CloudWatch/Trail if it matters)

    {
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "xxx",
        "arn": "arn:aws:iam::xxx",
        "accountId": "xxx",
        "accessKeyId": "xxx",
        "userName": "xxx",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "true",
                "creationDate": "2021-01-07T13:50:07Z"
            }
        }
    },
    "eventTime": "2021-01-07T14:55:03Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "AuthorizeSecurityGroupIngress",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "xxx",
    "userAgent": "console.ec2.amazonaws.com",
    "requestParameters": {
        "groupId": "sg-xxx",
        "ipPermissions": {
            "items": [
                {
                    "ipProtocol": "tcp",
                    "fromPort": 22,
                    "toPort": 22,
                    "groups": {},
                    "ipRanges": {
                        "items": [
                            {
                                "cidrIp": "x.x.x.x/32"
                                "description": "x"
                            }
                        ]
                    },
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                }
            ]
        }
    },
    "responseElements": {
        "requestId": "xxx",
        "_return": true
    },
    "requestID": "xxx",
    "eventID": "xxx",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "eventCategory": "Management",
    "recipientAccountId": "xxx"
}

To the following output:

"AuthorizeSecurityGroupIngress made against sg-xxx on [accountname] from [user@x.x.x.x]"

"Port range: 22"

"Source IP: x.x.x.x"

"Description: x"

Currently, by passing these 2 blocks into the CloudWatch Input Transformer:

{
"event":"$.detail.eventName",
"sg":"$.detail.requestParameters.groupId",
"user":"$.detail.userIdentity.userName",
"sourceip":"$.detail.sourceIPAddress",
"dsc":"$.detail.requestParameters.ipPermissions.items"
}

" made against  on [accountname] from [@]"
"Details: "

I am able to create the following output:

"AuthorizeSecurityGroupIngress made against sg-xxx on [accountname] from [x@x.x.x.x]"

"Details: {items:[{ipProtocol:tcp,fromPort:22,toPort:22,groups:{},ipRanges:{items:[{cidrIp:x.x.x.x/32,description:x}]},ipv6Ranges:{},prefixListIds:{}}]}"

However, when I attempt to specify the input path even further by passing more specific placeholders:

{
"event":"$.detail.eventName",
"sg":"$.detail.requestParameters.groupId",
"user":"$.detail.userIdentity.userName",
"sourceip":"$.detail.sourceIPAddress",
"prt":"$.detail.requestParameters.ipPermissions.items.toPort",
"src":"$.detail.requestParameters.ipPermissions.items.ipRanges.items.cidrIp",
"dsc":"$.detail.requestParameters.ipPermissions.items.ipRanges.items.description"
}

" made against  on [accountname] from [@]"
"Port Range: "
"Source IP: "
"Description: "

The output is blank for the placeholders' (prt,src,dsc) values:

"AuthorizeSecurityGroupIngress made against sg-xxx on [accountname] from [user@x.x.x.x]"

"Port range: "

"Source IP: "

"Description: "

VS. expected

"AuthorizeSecurityGroupIngress made against sg-xxx on [accountname] from [user@x.x.x.x]"

"Port range: 22"

"Source IP: x.x.x.x"

"Description: x"

Where am I messing up in the input path?

Is it the '[]' brackets causing the issue?

JSON Input Transformer Path Specification

Answers (1)

Related Questions