I am trying to parse aws ecr scan json logs to get vulnerabilities table report using below given query in SumoLogic. The issue is that aws.ecr sends the fields CRITICAL or HIGH only when those are found else it omits those fields. How to add CRITICAL field to 0 if CRITICAL is not found in json logs ? I tried using isNull, isEmpty, isBlank but it seems I am missing something, please share your valuable advise. Thanks in advance.
_source="aws_ecr_events_test"
| json field=message "detail.repository-name" as repository_name
| json field=message "detail.image-tags" as tags
| json field=message "time" as last_scan
| json field=message "detail.finding-severity-counts.CRITICAL" as CRITICAL
| if(isNull("detail.finding-severity-counts.CRITICAL"), 0, CRITICAL) as CRITICAL
| json field=message "detail.finding-severity-counts.HIGH" as HIGH
| json field=message "detail.finding-severity-counts.MEDIUM" as MEDIUM
| json field=message "detail.finding-severity-counts.INFORMATIONAL" as INFORMATIONAL
| json field=message "detail.finding-severity-counts.LOW" as LOW
| json field=message "detail.finding-severity-counts.UNDEFINED" as UNDEFINED
| json field=message "detail.image-digest" as image_digest
| json field=message "detail.scan-status" as scan_status
| count by repository_name, tags, image_digest, scan_status, last_scan, CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNDEFINED
Example log: detail:{finding-severity-counts:{LOW:1,HIGH:1}}
I think you're on the right track, but you might need a "nodrop" at the end of the parse line, otherwise Sumo Logic will just drop the records that don't match the json parse statement: