Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Help to match and remove value from array with JOLT

Labels:
avatar
author-rank simonsig
New Contributor

Created on ‎11-18-2023 10:54 PM - edited ‎11-18-2023 10:59 PM

After using JOLT for many years now I still find myself fumbling my way into solutions, I am however stuck on the problem of how to selectively remove values from a JSON array.

The scenario is that  I am trying to solve for is that I want to wholly remove any values in the array whereby there is an equals "=" or really any "special" character.

Here is the example input:

 

{
  "tags": [
    "misp-pattern=\\\"Phishing - T1566\\\"",
    "circl:incident-classification=\\\"phishing\\\"",
    "IDS"
  ]
}

 

and the output should be;

 

{
  "tags": [
    "IDS"
  ]
}

 

For those interested I am trying to transpose tags from MISP (Threat Intel platform) and under certain conditions it inserts some horrible entries I want to wholly remove them.

I understand I can do this in a few steps by extracting and "recasting" this back into JSON however I need to do it via JOLT

3,501 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank SAMSAL
Super Guru

Created on ‎11-19-2023 08:14 AM - edited ‎11-19-2023 08:16 AM

Hi @simonsig ,

There is no straight forward generic way to do this using just jolt only. What you are looking for involves some regex manipulation that I dont think Jolt spec support. Maybe at some point it will be supported through the "modify-overwrite-beta"  spec by adding regexReplace function to the string functions.

Jolt however can support simple pattern matching. For example, if you use RHS "*=*" when traversing the tags array value in the  spec , it will give you values that contain "=" character. You can use this to accommodate for all possible special characters then direct values to InvalidTag object , whatever is left "*" can be directed to valid tags array. Then you can use another spec to remove the InvalidTags. The drawback of this is that you have to know all possible special characters and the list them as in the following spec:

 

[
  {
    "operation": "shift",
    "spec": {
      "tags": {
        "*": {
          // find all values with special character listed
          // below and move to InvalidTags
          "*\\\"*": {
            "$": "InvalidTags[]"
          },
          "*-*": {
            "$": "InvalidTags[]"
          },
          "*=*": {
            "$": "InvalidTags[]"
          },
          "*:*": {
            "$": "InvalidTags[]"
          },
          //The values that wont have any of the special
          //characters above will be moved to tags
          "*": {
            "$": "tags[]"
          }
        }
      }
    }
   },
  {
    "operation": "remove",
    "spec": {
      //Remove InvalidTags 
      "InvalidTags": ""
    }
  }
]

 

If you cant account for all possible special characters , then you cant just rely on Jolt . The simplest way I can think of is to use an UpdateRecord processor before Jolt  where you can use Expression Language that support regex replace functions to replace all special characters using the regex pattern "\W+"  with a common character like "?" then you can use the Jolt spec above but list only "*?*" values  to be moved to InvalidTags.

The UpdateRecord will look like:

SAMSAL_0-1700410078886.png

The value for the dynamic property /tags[*] which has the path to the tag array values:

 

${field.value:replaceAll('\W+','?')}

 

Note: Based on your input make sure the JsonRecordSetWrite OutputGrouping property is set to "One Line Per Object"

The Jolt Spec in this case will be as follows:

 

[
  {
    "operation": "shift",
    "spec": {
      "tags": {
        "*": {
          "*?*": {
            "$": "InvalidTags[]"
          },
          "*": {
            "$": "tags[]"
          }
        }
      }
    }
   },
  {
    "operation": "remove",
    "spec": {
      "InvalidTags": ""
    }
  }
]

 

This way you dont have to worry about what special characters you might end up with.

If you find this helpful please accept solution.

Thanks

 

View solution in original post

3,479 Views
2 REPLIES 2

avatar
author-rank SAMSAL
Super Guru

Created on ‎11-19-2023 08:14 AM - edited ‎11-19-2023 08:16 AM

Hi @simonsig ,

There is no straight forward generic way to do this using just jolt only. What you are looking for involves some regex manipulation that I dont think Jolt spec support. Maybe at some point it will be supported through the "modify-overwrite-beta"  spec by adding regexReplace function to the string functions.

Jolt however can support simple pattern matching. For example, if you use RHS "*=*" when traversing the tags array value in the  spec , it will give you values that contain "=" character. You can use this to accommodate for all possible special characters then direct values to InvalidTag object , whatever is left "*" can be directed to valid tags array. Then you can use another spec to remove the InvalidTags. The drawback of this is that you have to know all possible special characters and the list them as in the following spec:

 

[
  {
    "operation": "shift",
    "spec": {
      "tags": {
        "*": {
          // find all values with special character listed
          // below and move to InvalidTags
          "*\\\"*": {
            "$": "InvalidTags[]"
          },
          "*-*": {
            "$": "InvalidTags[]"
          },
          "*=*": {
            "$": "InvalidTags[]"
          },
          "*:*": {
            "$": "InvalidTags[]"
          },
          //The values that wont have any of the special
          //characters above will be moved to tags
          "*": {
            "$": "tags[]"
          }
        }
      }
    }
   },
  {
    "operation": "remove",
    "spec": {
      //Remove InvalidTags 
      "InvalidTags": ""
    }
  }
]

 

If you cant account for all possible special characters , then you cant just rely on Jolt . The simplest way I can think of is to use an UpdateRecord processor before Jolt  where you can use Expression Language that support regex replace functions to replace all special characters using the regex pattern "\W+"  with a common character like "?" then you can use the Jolt spec above but list only "*?*" values  to be moved to InvalidTags.

The UpdateRecord will look like:

SAMSAL_0-1700410078886.png

The value for the dynamic property /tags[*] which has the path to the tag array values:

 

${field.value:replaceAll('\W+','?')}

 

Note: Based on your input make sure the JsonRecordSetWrite OutputGrouping property is set to "One Line Per Object"

The Jolt Spec in this case will be as follows:

 

[
  {
    "operation": "shift",
    "spec": {
      "tags": {
        "*": {
          "*?*": {
            "$": "InvalidTags[]"
          },
          "*": {
            "$": "tags[]"
          }
        }
      }
    }
   },
  {
    "operation": "remove",
    "spec": {
      "InvalidTags": ""
    }
  }
]

 

This way you dont have to worry about what special characters you might end up with.

If you find this helpful please accept solution.

Thanks

 

3,480 Views

avatar
author-rank simonsig
New Contributor

Created ‎11-20-2023 12:52 AM

Thank you @SAMSAL superstar!

3,459 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements