Parse json to extract values

jamesy_dobbin · July 12, 2022, 6:01pm

I have a custom alert that produces a file in json format.

I am trying to build a workflow that carries out decisions based on the presence of and values within a KVP. What is the correct method for doing this?

tyler_terenzoni · July 12, 2022, 6:24pm

Hi @jamesy_dobbin, can you share a little more information? Are you referring to an InsightIDR custom alert or something else?

Generally, specific variables from JSON objects can be referenced in two ways. First, if the schema of the JSON is defined in the output of the step that it is coming from then the specific variables can be referenced from the variable picker that is available on every step’s inputs(see below for an example).

Screen Shot 2022-07-12 at 2.20.44 PM

Secondly, if the schema is not defined then you can reference specific variables using handlebars in the format of {{[“step name”].[object name].[variable]}}.

Hopefully that helps!

jamesy_dobbin · July 12, 2022, 8:10pm

Hi Tyler,

Yes it is an InsightIDR custom alert. I was able to use the action step with the isdefined function to test for the parent object but I am not sure how to test for the KVP values within. The loop step didn’t seem to present me with the values to test for.

tyler_terenzoni · July 12, 2022, 8:57pm

It seems like this alert has been able to trigger the workflow already, is that right?

I would pass the {{[“trigger name”].[event].[entry]}} string as an input to this action in the workflow builder.

I would then edit the output of the action to return the full schema of the log entry being passed to the InsightConnect workflow within the output object.
Screen Shot 2022-07-12 at 4.54.54 PM
Screen Shot 2022-07-12 at 4.55.07 PM

This should allow all contained values that have been defined in the output to be accessed via the variable selector.

tyler_terenzoni · July 12, 2022, 8:58pm

To see the full schema of the event being sent over, you should be able to view the outputs of any older jobs that have run.

jamesy_dobbin · July 16, 2022, 11:03am

Thanks again Tyler. I actually played around and figured out how to use the jq plugin to parse the JSON.

I am now able to search for the object and test for the value in the array that l need.

I just need to figure out now how I can provide a scripted way for our service desk team to be able to add to a global artefact that I will be testing against as part of this workflow.

Jamesy