Idea ID: 2871275

Have JSON extraprocessors create separate events for each item in an array

Status : New Idea

JSON connectors are designed to create a separate event for each entry in an array. However, when a JSON parser is used as an extraprocessor and the data has an array of events, only the first one gets turned into an ArcSight event. The rest are ignored. I have had several cases where sources sent arrays of events via JSON in syslog but I was unable to get the connector to go past the first event.

Having JSON extraprocessors create an event for each entry in an incoming array will allow connectors to parse more kinds of events without having to create complicated workarounds like Python front-ends.

The extraprocessor should create an event for each item in an array, using the same fields inherited from the main processor along with the fields relevant for each item in the array.