Issue with fields being grouped together since upgrade to 3.0.7

alertmanager / alert_manager

Splunk Alert Manager with advanced reporting on alerts, workflows (modify assignee, status, severity) and auto-resolve features

Other

81 stars 43 forks source link

Issue with fields being grouped together since upgrade to 3.0.7 #284

Open rolltidega opened 3 years ago

rolltidega commented 3 years ago

It seems that after the upgrade to 3.0.7, the JSON that is written for alert_data_results sourcetype is writing certain fields as a single field where as before it was writing the fields as a JSON array, which is what we want as there are multiple values. It seems that the JSON arrays are now gone with the upgrade.

Before upgrade: Field_Key: "Value1", "value2", "value3"

Current Version: "Field_Key": "Value1 Value2 Value3"

nohcpy commented 3 years ago

CsvResultParser.py had a change in the latest version that seems to ignore appending the parsed multivalued fields to the "fields" list. Not sure what issues may have prompted the change so we added in a try statement to revert back to adding the parsed fields and fail to adding the raw ordered dictionary.

try: fields.append(line) except: fields.append(my_line)