Advanced Loki searches from inside json map/list

Question

I have a WAF log like

{
    "terminatingRuleId": "Default_Action",
    "action": "ALLOW",
    "nonTerminatingMatchingRules": [{
        "ruleId": "AWS-AWSManagedRulesSQLiRuleSet",
        "action": "COUNT",
        "ruleMatchDetails": [{
            "conditionType": "SQL_INJECTION",
            "location": "BODY",
            "matchedData": ["{", "limit", ":100}"]
        }]
    }],
    "requestHeadersInserted": null,
    "responseCodeSent": null,
    "httpRequest": {
        "uri": "/v0.1/updates",
        "args": "",
        "httpVersion": "HTTP/1.1",
        "httpMethod": "POST",
    }
}

Now httpRequest_uri and httpRequest_httpMethod is set as a label but we don't set nonTerminatingMatchingRules as a label. I'm looking for a way to show a log line like

POST - /v0.1/updates
 -- ruleId | COUNT | contents of ruleMatchDetails

I've tried things like

{s3="aws-waf-logs", action="ALLOW"} 
  | json match="nonTerminatingMatchingRules"
  | line_format "{{ .httpRequest_uri }}"

Because i set match to the embedded json, I can't reference httpRequest_uri anymore it seems.

Advanced Loki searches from inside json map/list

0 Answers0