On a log sample that comes in nested JSON type, we can proceed by selecting the patterns as below and assigning them to the fields we want.
Log Sample;
{"timestamp": "2024-10-08T16:44:29", "device": {"name": "Palo Alto Networks", "version": "10.3.0", "model": "firewall1"}, "threat": {"id": "EXE Threat", "type": "THREAT", "subtype": "wildfire", "severity": "high"}, "network": {"source": {"ip": "192.168.1.1", "user": "user1", "port": 5050, "zone": "zone1", "location": "internal"}, "destination": {"ip": "10.0.0.1", "port": 443, "zone": "zone2", "location": "external"}, "protocol": "tcp", "action": "block", "direction": "server-to-client"}, "file": {"type": "exe", "digest": "abc123"}, "cloud": {"ip": "198.51.100.1"}, "session": {"id": "123456"}}
In this log, which comes in JSON type in this structure, you can see a main category called threat and its subheadings under it. You can select them from the list and assign their equivalents as fields and complete the work.
In this method, you can see fields that do not exist under the field. In such a case, you can add the field manually according to the structure.
Then you can click on the Add item tab, select it from the list and continue.
Once you have all the logs set up, you can save and deploy them.
You can use Static mapping in logs. At this stage, you need to take reference from the Log Message List.
However, if you want to make a mapping with file, you can find what you need to do specific to that method under Parse with JSON.